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Preface 


We are delighted to introduce the proceedings of the 13th edition of the European 
Alliance for Innovation (EAT) International Conference on Ad Hoc Networks (ADHOC- 
NETS 2021). This conference brought together researchers, developers, and practitioners 
around the world to disseminate, exchange, and discuss all recent advances related to ad 
hoc networks. 

The technical program of ADHOCNETS 2021 consisted of 15 full papers, which 
were selected from 29 submitted papers. Aside from the high-quality technical paper 
presentations, the technical program also featured a keynote speech given by Tao Gu 
from the School of Computing at Macquarie University, Australia. 

Coordination with the steering committee, Imrich Chlamtac, Shiwen Mao, and Jun 
Zheng, was essential for the success of the conference. We sincerely appreciate their 
constant support and guidance. It was also a great pleasure to work with such an 
excellent organizing committee team for their hard work in organizing and support- 
ing the conference. Moreover, we would like to thank the Technical Program Com- 
mittee who completed the peer-review process for technical papers and helped to put 
together a high-quality technical program. We are also grateful to Conference Manager 
Karolina Marcinova for her support and all the authors who submitted their papers to 
the ADHOCNETS 2021 conference and workshops. 

We strongly believe that ADHOCNETS provides a good forum for all researchers, 
developers, and practitioners to discuss all science and technology aspects that are rele- 
vant to ad hoc networks. We also expect that the future editions of the ADHOCNETS con- 
ference will be as successful and simulating, as indicated by the contributions presented 
in this volume. 
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Preface 


We are delighted to introduce the proceedings of the sixteenth edition of the European 
Alliance for Innovation (EAI) International Conference on Tools for Design, Implemen- 
tation and Verification of Emerging Information Technologies TRIDENTCOM 2021. 
This conference brought together technical experts and researchers from academia 
and industry worldwide to discuss the emerging technologies such as blockchain, 
deep learning, edge computing, cyber-physical systems, cybersecurity, and computer 
communications. 

The technical program of TRIDENTCOM 2021 consisted of eight full papers, which 
were presented in two sessions. Aside from the high-quality technical paper presenta- 
tions, the technical program also featured two keynote speeches given by Ying-Dar 
Lin from National Chiao Tung University (NCTU) and Jaideep Vaidya from Rutgers 
University. 

Coordination with the general chairs, Yong Xiang and Song Guo, was essential for the 
success of the conference. We sincerely appreciate their constant support and guidance. 
It was also a great pleasure to work with such an excellent organizing committee team 
for their hard work in organizing and supporting the conference. In particular, we are 
grateful to the Technical Program Committee who completed the peer-review process for 
technical papers and helped to put together a high-quality technical program. We are also 
grateful to Conference Managers Jacqueline Sirotova and Aleksandra Sledziejowska for 
their support and all the authors who submitted their papers to the TRIDENTCOM 2021 
conference. 

We strongly believe that TRIDENTCOM provides a good forum for all researchers, 
developers, and practitioners to discuss all science and technology aspects that are rel- 
evant to blockchain, deep learning, edge computing, cyber-physical systems, cyberse- 
curity, and computer communications. We also expect that the future editions of the 
TRIDENTCOM conference will be as successful and stimulating, as indicated by the 
contributions presented in this volume. 
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Abstract. Nowadays, Unmanned Aerial Vehicles (UAV) are widely used 
in a variety of fields, especially in military and industrial applications. 
However, the usage of a single UAV has begun to be insufficient in most 
missions. A single UAV may not complete its mission in cases of rapid 
depletion of its batteries, limited field of view, long-term performance of 
a task, a fall or a malfunction in the system due to an external effect. 
In such cases, Flying Ad Hoc Networks (FANETs) that allow more than 
one UAV to participate in a common network and execute complex tasks 
in an organized manner is recommended. However, FANETS are tar- 
get of attacks due to being used in critical applications. Moreover, they 
are vulnerable to a variety of attacks due to their very nature and the 
cooperative routing protocols they use. Moreover, FANET's requires new 
security solutions or adaptation of existing security solutions of Mobile 
Ad Hoc Networks (MANETs), since it has much higher mobility than 
MANETs. Since mobility could affect security in different ways, at first 
attacks against FANETs should be analyzed. This is the main aim of this 
study. In this paper, various attacks against FANETs, namely dropping, 
blackhole, sinkhole, flooding attacks are analyzed. This is the first study 
that presents a comprehensive attack analysis in FANETs by simulating 
realistic network scenarios, where UAVs move in 3D as in real life. 


Keywords: FANET - UAV - AODV - Routing attacks - Blackhole 
attack - Flooding attack - Dropping attack 


1 Introduction 


Unmanned aerial vehicle (UAV) systems have started to be used in many areas 
with the rapid development of technology. They are already frequently used 
in military, industrial and civilian applications. Especially, UAVs being work 
as a group without human intervention has led to further expansion of their 
research areas. However, in order to work in groups, they need to set up a 
communication network among themselves at first. Ad hoc networks, which can 
be formed without the need of human intervention, resolve faults and organize 
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themselves, are suitable for providing network connectivity between UAVs [14]. 
However, high speeds and mobility of UAVs, in contrast to many other type of 
ad hoc networks, results in the topology to change very dynamically. Therefore, 
a new type of ad hoc networks called Flying Ad Hoc Networks (FANETs) has 
emerged and becomes one of the popular research areas [13]. FANETs have 
been used in many applications in order to execute specialized tasks such as 
monitoring, surveillance and reconnaissance, environmental surveillance. In such 
applications, nodes could report their findings to ground controller systems or 
designated nodes in the network [12, 25]. 

FANETs are used in many applications, especially mission-critical ones, 
which make them the target of new attacks. First of all, the use of wireless 
links makes the network susceptible to eavesdropping and active interference 
attacks. Furthermore, routing protocols designed for ad hoc networks rely on 
the cooperativeness of nodes, which makes insider attacks to be very effective 
in such networks. Although AODV protocol is a popular routing protocol for 
FANETSs, it is vulnerable to attacks [10]. High mobility of such networks could 
also affect security in different ways. On the one hand, mobility allows attack- 
ers to evade from security solutions while damaging the network. On the other 
hand, the effect of attacks could be limited on highly mobile targets. Controller 
systems in the network can be the target of attacks such as Denial of Service 
(DoS) attacks, and hence the availability of the network can be compromised. 

New security solutions should be improved for FANETs. While there are 
many security proposals for MANETs in the literature, they are not directly 
applicable to FANETs due to their high level mobility. Furthermore, the exis- 
tence of ground controller systems allows to use such nodes in security solutions. 
On the other hand, there is no central points in typical MANETs and all data 
are distributed in MANETs. Furthermore, UAVs move in 3D contrary to nodes 
in MANETs and VANETs. Moreover, they might have different mobility models 
than other type of ad hoc networks. For example, in order to complete some mis- 
sions, they might fly together in one direction as a group and move periodically 
towards to the controller ground system. Therefore, new security solutions and 
architectures should be developed for FANETs or the existing solutions proposed 
for ad hoc networks should be adapted to FANETs. This requires attacks against 
FANETs to be thoroughly analyzed, which is the main aim of the current study. 

In this study, the effects of various routing attacks against FANETs are ana- 
lyzed. AODV, which is one of the most popular routing protocols for ad hoc 
networks, are used. AODV is also a popular protocol in FANETs due to its sim- 
plicity and low overhead [23]. Attacks, namely dropping, flooding, blackole and 
sikhole are analyzed on networks with varying percentage of attackers from 5% 
to 20%. The 3D Gaussian Markov Model is used as the mobility model in order to 
simulate flying nodes. While studies in the literature still use 2D mobility mod- 
els such Random Waypoint Mobility Model and low node speeds such as 20 m/s 
that is suitable for MANETs applications [17,21], here realistic network scenar- 
ios for FANETs are simulated by using Ns-3 [16]. To the best of the authors’ 
knowledge, this is the first study that rigorously analyze attacks against FANET 
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on realistic network scenarios. The effects of attacks on simulated networks are 
evaluated by using packet delivery ratio, overhead and end-to-end delay. 

The rest of this paper is organized as follows. Section 2 summarizes the related 
studies in the literature. Section3 makes a brief introduction to the AODV 
protocol at first, then introduces the mobility model and attacks simulated in 
this study. Section 4 gives details about the experimental settings, and presents 
the attack analysis results. Finally, Sect. 5 concludes the paper. 


2 Related Work 


Although there are many studies on MANETs security in the literature, research 
on FANETSs security is still immature even though they have been started to use 
in many applications. There are quite a number of studies that analyze attacks 
against AODV on mobile ad hoc networks in the literature [9,11,15,19]. In [15], 
both atomic and composite attacks against AODV are systematically presented. 
Jain et al. [11] and Dokurer et al. [9], not only analyze blackhole attacks, but also 
propose solutions for blackhole attacks by improving AODV. Both approaches 
show similarity since they ignore the firstly arrived RREP message to the source 
node based on the assumption this reply packet is from the attacker node. In [19], 
again, the effect of blackhole attacks are evaluated on networks using different 
routing protocols, AODV and OLSR. The results show that the AODV protocol 
shows better performance than the OLSR protocol. However if there is no attack 
in the network, OLSR provides higher throughput on small networks. 

UAVs can be a potential target for attackers, whether they are part of a group 
as in ad hoc networks or single, in order to damage the device and/or access the 
data it contains. The impact of such threats targeting its privacy, security and 
physical integrity can severely affect both for the mission of UAV or to the net- 
work it is included in [2,3]. Moreover, multi-UAV communication is exposed 
to additional threats for trust establishment and secure communication mech- 
anisms. FANETs have higher levels of node mobility and hence more frequent 
changes in network topology than traditional MANETs. In [4,20], authors dis- 
cuss the unique characteristics of FANETs and their challenges. Bekmezci et al. 
[5] address security requirements of FANETs and possible threats against these 
highly networks. Furthermore, the authors present well-known ad hoc network 
attacks and discuss security solutions for such attacks on FANETs. 

There are a few security solutions proposed for FANETs in the literature. 
Some studies [6,24] propose solutions for sybil attacks. Walia et al. [24] proposes 
a mutual authentication technique in order to detect sybil attack. In this method, 
each node checks its neighbor nodes and if there are different neighbors with the 
same ID, the node is marked as malicious and monitored. If this marked node 
changes its identity, it is assumed to be malicious. The proposed method has 
maximum throughput, minimum overhead and packet loss compared to other 
methods. Another proposed solution from Bhatia et al. [6] consists of monitoring, 
detection and isolation steps to identify malicious nodes triggering the sybil 
attack. In another study [8], a hybrid intrusion detection system is proposed. 
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The proposed method consist of two steps. Firstly, the spectral analysis is used 
to generate a specific traffic signature which offers a basic degree of knowledge 
regarding the type of intrusion in the network. Secondly, with the output of the 
first step, the controller/observer-based estimation step evaluates the level of 
attack observed in the network. 

To sum up, even though routing attacks against AODV are extensively stud- 
ied in the literature, different characteristics of FANETs such as having nodes 
with higher speeds, moving in 3D requires a new analysis of attacks on these 
highly mobile networks. The lack of such an analysis also negatively impacts the 
development of security solutions for FANETs. 


3 Background 


3.1 Routing Protocol: AODV 


AODV is widely used in ad hoc networks, where FANETS are no exception. Since 
there is high mobility in FANETs, routing protocols proposed for them seek 
to establish and maintain communication between end points in such dynamic 
topologies. AODV is a reactive and multi-hop routing protocol that responds to 
this request. AODV enables the rapid discovery of routes to a new destination 
and cancels out inactive routes [18]. Due to high speeds of UAVs, FANETs 
experience frequent link breakages and disconnection problems. 

AODV has two main mechanisms: route discovery and route maintenance. In 
the route discovery phase, the source node, who does not have a valid route to the 
destination node in its routing table, broadcasts route request (RREQ) packets. 
Any node having a valid route to the destination could send a unicast route 
reply (RREP) packet to the source node. The source node selects the freshest 
and the shortest path (having minimum number of hops) to the destination. In 
the route maintenance mechanism, locally detected broken links are announced 
to other nodes by using route error (RERR) packets. These packets are frequently 
broadcast to the whole network. 


3.2 Attacks 


Four type of attacks against AODV are analyzed in this study. 


Sinkhole Attack. In this attack scenario, the malicious node aims to attract 
network traffic to itself by advertising a better route to the destination. This 
attack often lays the foundation for further attacks such as selective dropping, 
modification attacks. 

In this study, when the attacker receives a RREQ message, it replies with a 
fake RREP that claims that it is one hop away from the destination node, hence 
it increases its chance to be selected as the shortest path. Moreover, it adver- 
tises itself as the freshest route to the destination by increasing the destination 
sequence number, hence in this case it guarantees to be selected as the route to 
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> RREQ 
id RREP 
E Dropping Packet 


Fig. 1. Blackhole attack 


the destination. When this route is selected, the attacker listens to all commu- 
nication between the source and the destination nodes, therefore it is called as 
the sinkhole attack. 


Dropping Attack. In this simple attack scenario, the attacker simply drops 
packets it received. It could selectively drop packets such as packets destined 
to a particular destination. Or he could randomly drop some packets in order 
to be more evasive, however in this case the effect of the attack is expected 
to be more limited. Besides data packets, the attacker could also drop routing 
control packets. In this case, active routes might not be built or inactive routes 
might not be announced in time. Such cases result in re-initiating the route 
discovery mechanism, which might consume network resources, cause congestion 
and delays. In this study, the attacker drops all data packets it received. 


BlackHole Attack. Blackhole attack is a composite attack that performs sink- 
hole and dropping/modification attacks consecutively. Firstly it directs the net- 
work traffic to itself by advertising it has the best route to the destination, then 
it performs other attacks on the network traffic it receives such as modifica- 
tion, dropping, fabrication attacks. In the simulations here, in the first phase 
of the attack, the sinkhole attack is carried out as defined above, then only the 
dropping attack is performed in the second phase of this attack. 

In Fig. 1, a blackhole attack is demonstrated. The source node (S) wants to 
discover a route to the destination node (D) by broadcasting a RREQ message. 
When the malicious node (M) receives one of these RREQ messages, it replies 
with a fake RREP. As shown in the figure, even M is not in the route to the 
destination, it receives data packets sent from S to D, since it claims itself to be 
in the shortest path to the destination. 


Ad Hoc Flooding Attack. In this attack scenario, the attacker takes the 
advantage of high number of messages sent in the route discovery mechanism 
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in order to overwhelm the network. In this DoS attack, malicious nodes send a 
large number of RREQ messages for the selected nodes. This attack results in 
increasing the network traffic, consuming network and nodes resources, breaking 
the connection between nodes, and interrupting data transmitting. In the simu- 
lations, a random destination node is selected and 20 new RREQ messages are 
sent to discover routes to this destination node. The attack is repeated every 3s 
for another destination node that is randomly selected. 


= RREQ 
“> RREP 
Dropping Packet 


Fig. 2. Dropping attack in AODV protocol 


3.3 Gauss-Markov (GM) Mobility Model 


In order to simulate the mobility of UAVs in a realistic way, a three-dimensional 
mobility model should be used in the experiments. For that reason, 3D Gauss- 
Markov (GM) Mobility Model, which is a time-based mobility model designed 
with a single adjustment parameter to prevent sharp motion changes and to 
integrate various randomness adaptations [22] is used in this study. Since the 
movements of a node between its consecutive positions must be harmonious [7], 
the model keeps the previous movements in its memory. The mobility behaviour 
of nodes are adjusted by the a parameter, which takes values between zero and 
one. While a is 0, it corresponds to a memory-free model (i.e. random mobility). 
While it gets closer to 1, the motion becomes more predictable. 


4 Attack Analysis 


The main purpose of this study is to analyze routing attacks against FANETs. 
Therefore, a number of networks is simulated firstly without attacks, and then 
with the attacks described above. Finally, the performance of all simulated net- 
works is analyzed. Here, the simulation environment is introduced below at first, 
then the effect of attacks on these simulated networks are discussed in the sub- 
sequent sections. 
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4.1 Simulation Settings 


In this study, the well-known network simulator, Ns-3 [16] is employed to simu- 
late networks and attacks against FANETs. In order to see the multi-hop char- 
acteristics of AODV, each network consists of 25 nodes, where one of them is a 
mobile server node. Each network is run without attacks, then run with black- 
hole, sinkhole, dropping and ad hoc flooding attacks separately. Different ratios 
of attackers are applied from 5% to 20% and the position of attackers are selected 
randomly five times for each network topology. Hence 70 (14x5) network topolo- 
gies are executed for each attack type and ratio, and the average of performance 
metrics on these 70 networks are given in the results. As noted above, 3D Gaus- 
sian Markov Model is used in order to represent nodes’ mobility in 3D. a value 
is started from 0.495 in order to keep the balance between random mobility and 
predictable mobility and, each time it is increased by 0.001 for simulating a dif- 
ferent network topology. The speeds of nodes are set to 720 km/h as in real life. 
In order to be compatible with FANETs, the 802.11n MAC protocol is used at 
5 GHz [1]. The transmission range of the nodes is determined as 250m for the 
given network area. Each node sends 1024-byte 15 UDP packets to the server 
node every 0.5s. All simulation parameters are summarized in Table 1. 

The following performance metrics are employed in order to see the effects 
of attacks on networks: packet delivery ratio, end-to-end delay, and overhead 
metrics. Packet delivery ratio (PDR) is the average of the ratio of the total 
number of packets received by all nodes in the network to the total number of 
packets destined for the same nodes. End-to-end (E2E) delay is the measurement 
in seconds, of the average of all delays that occur in the network during data 
transmission between end communication points. Overhead is the ratio of the 
total control packets generated by the routing protocol to the received data 
packets. 


4.2 Experimental Results 


In the experiments, firstly 14 networks with varying network topologies are exe- 
cuted without no attacker. Then, different attack types are applied to the same 
topologies with different ratio of attackers. Firstly, the effects of sinkhole attack 
is given in Table2 and Fig. 3. Table 2 shows the average values of performance 
metrics on networks with different attack ratios. Figure 3 emphasizes on PDR by 
using the box plot representation. As defined above, the attacker does not drop 
data packets deliberately in this attack scenario. However, due to the attacker of 
building inactive routes, the data packets might not be reached to the destina- 
tion as shown in the results. The attacker might not be even in a route between 
the source and the destination. 
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Table 1. Simulation parameters used in Ns-3 


Parameter Value 

Routing protocol AODV 

MAC protocol IEEE 802.11n 

Frequency band 5 GHz 

Simulation time 900s 

Area 1700m x 1700m x 1500m 
Number of nodes 25 

Node speed 720 km/h 

Transmission range 250m 

Traffic type UDP 

Packet size 1024 bytes 

Packet count 15 

Bandwidth 6 Mbps 

Ratio of malicious node | No attack, 5%, 10%, 15%, 20% 
Mobility model GM model 


Bounds for GM 


X: [—70; 70], Y: [—70; 70], Z: [0; 70] 


a for GM 


[0.495-0.509] 


Table 2. Average performance metrics of networks under sinkhole attack 


Attackers (%) | PDR (%) | E2E delay (s) | Overhead 
0% 91,43 0,0253 12,5 
5% 84,94 0,031 6,98 
10% 84,01 0,036 11,04 
15% 70,11 0,018 42,16 
20% 56,60 0,017 111,14 


The effect of dropping attack is given in Table 3 and Fig. 4. Even though the 
attacker positions are selected randomly, the same set of attackers are used in 
each topology for different attack scenarios. Therefore, the same data packets 
pass through attackers in each attack scenario. In addition, more data packets 
could be directed to the malicious node in sinkhole attack. Please also note 
that the attacker size is increased by covering already existing attacker nodes 
on networks with less number of attackers for each topology. As shown in the 
results, as the number of attacker increases, its effect becomes more evident in 


the network. 
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Fig. 3. PDR of networks under sinkhole attack 


Table 3. Average performance metrics of networks under dropping attack 


Attackers (%) | PDR (%) | E2E delay (s) | Overhead 
0% 91,43 0,0253 12,29 
5% 88,47 0,024 5,61 

10% 81,84 0,036 11,87 

15% 70,14 0,023 42,17 

20% 56,72 0,018 110,02 


Table4 shows the average of performance metrics on simulated networks 
under blackchole attack. In order to see PDR more closely, Fig. 5 shows the 
box plot for this performance metric. As shown in the results, the network is 
affected worse as the number of attackers increases. Especially when the attacker 
ratio reaches to 15%, PDR decreases down to approximately 70%. When the 
attacker rate is 20%, PDR reaches to an unacceptable level. However such attacks 
are not very effective on networks having a lower density of attackers due to 
high mobility. Since all the attacks analyzed so far causes data packets to drop, 
and hence the route discovery mechanism is re-initiated, the number of routing 
control packets on networks increases with the number of attackers. 

Blackhole attack reduces PDR slightly more than sinkhole attack on networks 
where more than 5% of nodes are attackers. Even though both attacks take 
control of the route to the destination node, in some cases the attackers could be 
in a route between the source and the destination nodes. In such cases only, data 
packets are forwarded in sinkhole attacks, which explains the small differences 
between PDR of networks under sinkhole and blackhole attacks. 
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Fig. 4. PDR of networks under dropping attack 


Table 4. Average performance metrics of networks under blackhole attack 


Attackers (%) | PDR (%) | E2E delay (s) | Overhead 
0% 91,43 0,0253 6,64 
5% 88,04 0,0254 5,91 
10% 82,53 0,0334 11,68 
15% 69,34 0,0191 43,58 
20% 56,81 0,0170 72,77 


Finally, a DoS attack type is analyzed. The performance results of networks 
under ad hoc flooding attacks is given in Table5 and Fig.6. As expected, the 
overhead increases considerably. The high number of routing control messages 
also cause data packets to drop due to network congestion. 

The effects of attacks are compared with each other by using PDR, E2E 
delay, and overhead in Figs. 7, 8, 9 respectively. As shown in Fig. 7, even though 
blackhole attack is a combination of sinkhole and dropping attacks, the difference 
between the effects of those attacks is not very notable, not as much as being 
expected. Hence, the attackers could decrease PDR considerably even by only 
performing the simplest attack in these small networks, dropping, so it does 
not need even need to attract the traffic through itself. This may be due to 
other factors analyzed in depth in the ongoing study. On the other hand, ad 
hoc flooding attack causes more packets to drop than dropping attacks due to 
congestion it has created in the network. Even in the presence of one attacker 
(5%), ad hoc flooding attack shows a considerable decrease in PDR. 


PDR (%) 


Fig. 5. PDR of networks under blackHole attack 
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Table 5. Average performance metrics of networks under ad hoc flooding attack 


Attackers (%) | PDR (%) | E2E delay (s) | Overhead 
0% 91,43 0,0253 12,29 
5% 76,53 0,065 5,59 

10% 76,46 0,063 5,00 

15% 69,30 0,028 40,66 

20% 57,01 0,018 107,76 
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Fig. 6. PDR of networks under ad hoc flooding attack 
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Fig. 7. Comparison of PDR on networks under different attack types 
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Fig. 8. Comparison of E2E delay on networks under different attack types 


As shown in Fig. 8, E2E delay increases until the density of attackers reaches 
to 10% of nodes. Since the network resources are still available until this point, 
packet delay increases proportionally to the increase in the number of attackers. 
However, as the number of attackers in the network continues to increase, the 
overhead also increases considerably due to re-initiating of the route discovery 
mechanism as shown in Fig. 9. This increase is very dramatic for ad hoc flooding 
attacks as expected. Because of the overhead, and so the network congestion, 
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packets have started to be dropped. Moreover, since data packets in shorter 
routes have higher chance to be forwarded than data packets in longer routes, 


this might still affect the E2E delay positively on networks under high number 
of attackers. 
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Fig. 9. Comparison of overhead on networks under different attack types 


5 Conclusion 


This paper analyzes how various attacks against FANETs affect network per- 
formance. Particularly routing attacks targeting AODV, namely sinkhole, drop- 
ping, blackhole and ad hoc flooding attacks are taken into consideration. The 
experimental results show that all attacks degrade the performance of the net- 
work, especially when the ratio of attackers has exceed 15%. When the density 
of attackers below that, the network can still run smoothly. In such cases, the 
effects of such attacks might be limited due to high mobility. Furthermore, it is 
shown sinkhole, dropping and blackhole attacks affect the network in a similar 
way when the attackers are placed in the same positions. Hence, the attackers 
could decrease the PDR by performing the simplest attack, dropping, so it does 
not need even need to attract the traffic through itself in small networks. Only 
ad hoc flooding attack could results in a sharper decrease in PDR even in the 
existence of one attacker (5%) due to its very nature. 

To the best of the authors’ knowledge, this is the first attack analysis on 
FANETs with realistic simulation parameters. The studies in the literature still 
use the 2D mobility models. Hence, it is believed that this study could accelerate 
studies on FANETs security. Researchers could use the network parameters here 
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in order to simulate attacks that could really affect FANETs, so they could pro- 
pose solutions for mitigating /detecting such attacks. In the future, more complex 
attack scenarios in larger networks are planned to be analyzed. 


References 


Í; 


10. 


11. 


12. 


13. 


14. 


Abraham, S., Meylan, A., Nanda, S.: 802.11n MAC design and system performance. 
In: IEEE International Conference on Communications, vol. 5, pp. 2957—2961. 
IEEE (2005). https://doi.org/10.1109/icc.2005.1494932 

Akram, R.N., et al.: Security, privacy and safety evaluation of dynamic and static 
fleets of drones. In: 2017 IEEE/AIAA 36th Digital Avionics Systems Conference 
(DASC), pp. 1-12 (2017). https://doi.org/10.1109/DASC.2017.8101984 

Altawy, R., Youssef, A.M.: Security, privacy, and safety aspects of civilian drones: 
a survey. ACM Trans. Cyber-Phys. Syst. 1(2), 1-25 (2016). https://doi.org/10. 
1145/3001836 

Bekmezci, I., Sahingoz, O.K., Temel, S.: Flying AD-HOC networks (FANETS): 
a survey. AD Hoc Networks 11(3), 1254-1270 (2013). https://doi.org/10.1016/j. 
adhoc.2012.12.004 

Bekmezci, I., Şentürk, E., Türker, T.: Security issues in flying AD-HOC networks 
(FANETS). J. Aero. Space Technol. 9(2), 13-21 (2016). http://jast.hezarfen.msu. 
edu.tr/index.php/JAST/article/view/32 

Bhatia, V., Walia, E., Singla, P.: VANET and FANET under the impact of the 
security attack. Int. J. Innov. Technol. Explor. Eng. 8(9), 390-397 (2019). https:// 
doi.org/10.35940/ijitee.11062.0789S19 

Broyles, D., Jabbar, A., Sterbenz, J.P.: Design and analysis of a 3-D gauss-markov 
mobility model for highly dynamic airborne networks. In: Proceedings of the Inter- 
national Telemetering Conference, p. 46 January 2010 

Condomines, J.P., Zhang, R., Larrieu, N.: Network intrusion detection system for 
UAV AD-HOC communication: from methodology design to real test validation. 
Ad Hoc Networks 90, 101759 (2019). https: //doi.org/10.1016/j.adhoc.2018.09.004 
Dokurer, S., Erten, Y.M., Acar, C.E.: Performance analysis of ad-hoc networks 
under black hole attacks. In: Conference Proceedings of IEEE SOUTHEASTCON, 
pp. 148-153 (2007). https: //doi.org/10.1109/SECON.2007.342872 

El-Semary, A.M., Diab, H.: BP-AODV: blackhole protected AODV routing pro- 
tocol for MANETs based on chaotic map. IEEE Access 7, 95197-95211 (2019). 
https: //doi.org/10.1109/ACCESS.2019.2928804 

Jain, A.K., Tokekar, V.: Mitigating the effects of Black hole attacks on AODV 
routing protocol in mobile AD Hoc networks. In: 2015 International Conference on 
Pervasive Computing ICPC 2015 (2015). https://doi-org/10.1109/PERVASIVE. 
2015.7087174 

Ladosz, P., Oh, H., Chen, W.H.: Optimal positioning of communication relay 
unmanned aerial vehicles in urban environments. In: 2016 International Confer- 
ence on Unmanned Aircraft Systems (ICUAS), pp. 1140-1147 (2016). https://doi. 
org/10.1109/ICUAS.2016.7502562 

Mahmud, I., Cho, Y.Z.: Adaptive hello interval in FANET routing protocols 
for green UAVs. IEEE Access 7, 63004-63015 (2019). https://doi.org/10.1109/ 
ACCESS.2019.2917075 

Maxa, J.a., Mahmoud, M.s.B., Larrieu, N.: Extended Verification of Secure 
UAANET Routing Protocol To cite this version : HAL Id : hal-01365933 Extended 
Verification of Secure UAANET Routing Protocol (2016) 


15. 


16. 
17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 


25. 


Analysis of Routing Attacks in FANETs 17 


Ning, P., Sun, K.: How to misuse AODV: a case study of insider attacks against 
mobile ad-hoc routing protocols. Ad Hoc Networks 3(6), 795-819 (2005) 

The ns-3 network simulator (2021). http://www.nsnam.org/ 

Ochola, E.O., Mejaele, L.F., Eloff, M.M., Van Der Poll, J.A.: Manet reactive rout- 
ing protocols node mobility variation effect in analysing the impact of black hole 
attack. SATEE Africa Res. J. 108(2), 80-92 (2017). https://doi.org/10.23919/saiee. 
2017.8531629 

Perkings, C., Belding-Royer, E., Das, S.: Ad hoc On-Demand Distance Vector 
(AODV) Routing. Ietf Rfc 3561 (2003) 

Praveen, K.S., Gururaj, H.L., Ramesh, B.: Comparative analysis of black hole 
attack in Ad Hoc network using AODV and OLSR Protocols. Proc. Comput. Sci. 
85, 325-330 (2016). https://doi.org/10.1016/j.procs.2016.05.240 

Sahingoz, O.K.: Networking models in flying AD-HOC networks (FANETS): con- 
cepts and challenges. J. Intell. Robot. Syst. 74(1), 513-527 (2014). https://doi. 
org/10.1007/s10846-013-9959-7 

Sen, J., Koilakonda, S., Ukil, A.: A mechanism for detection of cooperative black 
hole attack in mobile AD Hoc networks. In: Proceedings - 2011 2nd International 
Conference on Intelligent Systems, Modelling and Simulation, ISMS 2011, pp. 338- 
343 (2011). https://doi-org/10.1109/ISMS.2011.58 

Shumeye Lakew, D., Sa’Ad, U., Dao, N.N., Na, W., Cho, S.: Routing in flying 
Ad Hoc networks: a comprehensive survey. IEEE Commun. Surv. Tutorials 22(2), 
1071-1120 (2020). https: //doi.org/10.1109/COMST.2020.2982452 

Tan, X., Zuo, Z., Su, S., Guo, X., Sun, X.: Research of security routing protocol 
for UAV communication network based on AODV. Electronics 9(8), 1-18 (2020). 
https: //doi.org/10.3390/electronics9081185 

Walia, E., Bhatia, V., Kaur, G.: Detection of malicious nodes in flying Ad-HOC 
networks (FANET). Int. J. Electron. Commun. Eng. 5(9), 6-12 (2018). https:// 
doi.org/10.14445 /23488549 /ijece- v5i9p102 

Xu, Z., Huo, J., Wang, Y., Yuan, J., Shan, X., Feng, Z.: Analyzing two connec- 
tivities in UAV-ground mobile AD HOC networks. In: 2011 IEEE International 
Conference on Computer Science and Automation Engineering, vol. 2, pp. 158- 
162 (2011). https: //doi.org/10.1109/CSAE.2011.5952445 


f u ) 


Check for 
updates 


Context-Aware Routing and Forwarding 
Model for NDN-Based VANET 


Elidio da Silva? 9, Joaquim Macedo? ®, and António Costa? © 


1 Lurio University, Pemba, Mozambique 
i1d6644@alunos.uminho.pt 
2 Algoritmi Centre, University of Minho, Braga, Portugal 
{macedo, costa}@di.uminho.pt 
https: //algoritmi.uminho.pt/ 


Abstract. Routing in Vehicular Ad hoc Networks (VANET) is a chal- 
lenging topic due to the links intermittency, which in turn makes it diffi- 
cult to manage routing tables. One solution is routing table management 
avoidance and the adoption of flooding. This solution is adopted by many 
state-of-art proposals. However, it can degenerate to broadcast storm 
problems. Some proposals leverage the characteristics of Named Data 
Networking (NDN) to improve VANET. They use the Forwarding Infor- 
mation Base (FIB) to manage routes, but flooding is still the main mech- 
anism used to update FIB when nodes move from one to another loca- 
tion. These solutions neither take advantage of the in-network caching, 
nor adapt routing to VANET context. 

Each VANET context presents different routing requirements, thus, 
a context-aware routing and forwarding model that uses FIB to man- 
age routes is proposed. A mobility prediction mechanism is adopted to 
update FIB and the list of neighbor. Additionally, all overheard pack- 
ets are processed in order to update the neighbors list and, thus, avoid 
frequent broadcasts. To take advantage of the in-network caching, nodes 
share their list of cached contents when responding to a special request 
from RSU, querying for new content sources. To attain this objective, 
modifications of the NDN structures are performed. 

An improved performance of VANET is expected, at a cost of an 
increased computational overhead due to the processing of all overheard 
packets, and the mobility prediction. 


Keywords: Caching - Named Data Networking - Routing - Vehicular 
Ad hoc Networks 


1 Introduction 


The development of Intelligent Transportation Systems (ITS) [18] is intimately 
attached to the development of vehicular communications, and particularly 
Vehicular Ad Hoc Networks (VANET). In turn, the development of vehicular 
communications presents specific challenges due to their intrinsic characteristics 
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such as frequent network partitioning, highly dynamic topology, and short-lived 
links between nodes. 

State-of-the-art routing and forwarding in VANET are mainly geographic or 
topology based. Topology-based solutions resort to flooding in order to acquire 
topological information. Geographical solutions also resort to flooding when the 
content source moves. Network flooding is a solution that should be avoided, 
because it is ineffective in terms of resource management and can result in the 
broadcast storm problem, compromising the traffic and the network efficiency. 

Named Data Networking (NDN) [29], a new Internet architecture, identi- 
fies the contents by their names instead of their relative location (i.e., the IP 
addresses). This characteristic (i-e., name-based content identification and rout- 
ing) brings another important architectural advantage of NDN - the in-network 
data caching that augment the sharing capacity of the nodes. Additionally, NDN 
forwarding plane is stateful and adaptive [26], giving this architecture the capac- 
ity of controlling and avoiding packet loop. 

A context-aware NDN-based routing and forwarding mechanism for VANET is 
proposed in this paper. The context-awareness is based on the application type and 
the communication model in use. Additionally, the model distinguishes pull- and 
push-based messages. We propose a hybrid (geographic and topology-based) rout- 
ing model, in the sense that the model will leverage all overheard packets to extract 
topological information and the geographical location of the node will be used to 
forward packet to specific nodes in the network. To further avoid or reduce the need 
of flooding, a mobility prediction algorithm will be used. The main task of the men- 
tioned algorithm is to predict routes of the moving nodes, avoiding frequent broad- 
cast of beacon messages. The internals of the mobility prediction mechanism are 
not discussed here. Whereas the routing mechanism will be responsible of proac- 
tively maintaining an updated Forwarding Information Base (FIB) for a relatively 
long-term base, the proposed forwarding strategy will maintain updated the list 
of neighbors and will take advantage of in-network data caching to avoid flooding. 
Differently from studies such as [8], which allow caching of all unsolicited Data, we 
select unsolicited Data based on their application type: push-based, safety, and all 
short-lived messages are not cached. 

To attain these objectives, the following NDN main structures are modified: 
Pending Interest table (PIT) to include the previous node forwarding the packet; 
the FIB, to include Node Mobility Status Information - NMSI (i.e., the node 
ID, node speed, node geographical coordinates, direction, and timestamp); the 
NDNLPv2 [16] packet (LpPacket) headers are extended to include the node 
mobility status information (for Interest and Data packets). This information 
is extracted in each node receiving the packet and is used to update the list of 
neighbors; a link adaptation layer is proposed to incorporate the specificities of 
the ad hoc vehicular network. 

The remaining of this paper is organized as follows: Sect.2 presents the 
related work. Section 3 presents the model design including the proposed mech- 
anism for content discovery, the forwarding strategy, and the routing protocol. 
Section 5 presents the summary and discussion of contributions. 
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2 Related Work 


The high mobility of VANET nodes results in an highly dynamic topology and 
intermittent connectivity. These are the main constraints that make it difficult or 
even infeasible to run a routing protocol in VANET [8]. Several efforts, however, 
have been put forward to overcome such difficulties and develop routing solutions 
for VANET. 

Authors in [8] use a complex mapping of geofaces and geographical areas, 
where to forward the Interests towards the corresponding contents. Having 
reached the geographical area, the Interest is then flooded. 

Authors in [28] propose a proactive opportunistic routing mechanism that 
keeps track of content locations using last encounter information location. The 
vehicles periodically advertise to one-hop neighbors to collect the summary of all 
contents in the node. The same authors propose in [24], a vehicular information 
network architecture with a push-based mechanism, for content dissemination. 
The study also proposes a naming scheme and a proactive location-based routing. 

Taking advantage of computing, caching and communicating vehicle capa- 
bilities, [15] proposed a routing mechanism that confines the broadcast of Inter- 
est /Data to most important vehicles. In this way, the information is be available 
within the vehicles with higher centrality score. To identify important vehicles, 
which are responsible for efficient content distribution, the authors use their pre- 
viously proposed mechanisms that enable each vehicle to autonomously find its 
own importance in the network. 

In [12], the authors propose a routing protocol that initially floods the net- 
work to populate FIB, and then forwards packets based on the previously popu- 
lated FIB. This mechanism is somehow similar to the solution proposed by [20] 
for wired networks. An Interest is periodically broadcasted in order to discover 
new paths and new content sources. The proposed solution identifies nodes by 
their MAC address, and in [13] they extend the previous solution, extracting 
the Face MAC address from the NDN strategy layer. In [9], the same authors 
propose a V2I communication architecture also based on NDN, which is then 
extended to support V2V communications. The proposed solution works in two 
different routing approaches, one where requests are forwarded to the RSU and 
another where the RSU is defined as a backup network component. Additionally, 
they propose in [10], a routing protocol that assumes each vehicle having a set of 
unidirectional antennas, used in unicast transmissions to forward the messages in 
a specific direction. To support vehicle mobility, the solution includes a forward- 
ing mechanism that uses timers in each vehicle to identify unsatisfied requests. 
When a timer elapses, the vehicle re-transmits its request through another path. 
In [11] they present the details of [10], including its performance evaluation. 

A routing protocol is proposed in [23]. The solution combines data-name- 
based routing and host-ID-based routing to address the mobility issue and the 
broadcast storm problem from NDN flooding solutions. In the referred work, 
nodes request data by their content name, then, knowing the content location, 
the [D-based routing is triggered. Using the corresponding position the protocol 
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computes the route towards the destination host. When the content provider is 
unknown, a flooding process takes place. 

In [4] a protocol that reduces broadcast storm by using a defer timer (packet 
holding time) is proposed. The protocol prioritizes Interest transmissions among 
neighbor nodes, avoiding packet re-transmissions. 

In [6], the authors propose a model in which vehicles periodically notify neigh- 
bors about their cached content and maintain a local table containing neighbors’ 
cached contents. When a route disruption occurs, the solution resort to a dis- 
tance prediction algorithm to calculate the next hop. The presented protocol is 
topology-based and works proactively. 

A reactive routing protocol is presented in [27]. The proposed solution cat- 
egorizes Information-Centric Networking (ICN) content into: 1) popular public 
data services, 2) popular private data services, and 3) unpopular data services. 
Arguing that for each of these categories, it may be necessary to choose an appro- 
priate routing design, the authors designed a Bloom Filter (BF) based routing 
protocol for popular data services (1 and 2). The nodes in the corresponding 
clusters periodically summarize the content to create their own BF (content 
digests), which are then used to advertise (by flooding) the local content of the 
partition where they belong to. 

As shown above, the majority of these proposals resort to flooding for content 
discovery, dissemination, and for recovering from route disruption. Additionally, 
they resort to constant broadcast of beacon messages to create and maintain 
a list of neighbors. To maintain an updated list of neighbors a protocol should 
increase the frequency of beacon broadcast, which results in an increased network 
traffic, and consequently collisions and delays in delivering packets. 

The result of a literature review performed in [21] indicates that although 
some proposals applied NDN-based routing and forwarding for VANET, none of 
the surveyed solutions considers the different network scenarios (e.g., highway, 
rural or urban environment), the different applications (e.g., safety /emergency, 
efficiency or entertainment) and do not adapt the solution to the network charac- 
teristics where the model is applied, i.e., they are not context-aware. In addition, 
none of them included mobility prediction to help updating the list of neighbors 
and in selecting better relay nodes for packet forwarding, in order to avoid or 
reduce broadcast. Moreover, these solutions do not leverage the in-network data 
caching for routing decisions. Actually, the study by [6] considers the use of in- 
network caching for content discovery but, does so by allowing each vehicle in 
the network to perform flooding, requesting each other node to share the list of 
their cached content, a solution that can overload the network traffic. 

Table1 presents the comparison summary of state-of-the-art solution, and 
the main difference with the solution proposed in this work. 
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Table 1. Main contributions and differences from state-of-the-art solutions 


Propriety References Existing solution Our contributions 
Content [4,10,12,13,15, | Flooding Flooding (rural scenario); 
discovery 23, 24, 27, 28] RSU beaconing (urban 
[9] Flooding (decentralized scenario), flood if no route to 
approach); RSU RSU, and no corresponding 
beaconing (centralized entry in Cached Content 
approach), wait if no Table (CCT) 
route to RSU or to the 
content source 
Neighbor [4,10,12,13,15, | Maintained by 1-hop Maintained by 3-hop beacon 
status 23, 24, 27, 28] beacon broadcast, from broadcast, from RSU (urban 
all nodes scenario), and 1-hop beacon 
broadcast from all nodes 
(rural scenario). Normal 
traffic leveraged to gather 
neighbor status, by including 
control information onto the 
Interest /Data NDNLP packet 
header 
Routing [6] Caching (periodic beacon | Caching (Sharing of cached 
enhance- broadcast from 1-hop content list from any node), 
ment nodes, to share cached and mobility prediction 
feature content list), and 
distance prediction 
method (reference to this 
method is unreachable) 
Context [9] Communication mode Dissemination mode (push-, 
awareness (V2V, V21) pull-based); application type 
(active safety, efficiency, 
comfort, interactive- 
entertainment); network 
density (rural, urban); and 
communication model (V2V, 
V21) 
Content [7] Cache all content Selective unsolicited Data 
caching (including all unsolicited | caching, depending on 
Data) application type (drops: all 
push-based, caches: (1) 
solicited safety, (2) comfort, 
and (3) some long-lived 
interactive-entertainment 
application) 
Beacon All Periodic (frequent) from | Periodic (less frequent) from 
broadcast all nodes all nodes (rural scenario), only 


RSU (urban scenario). All 
overheard traffic (not 
dedicated beacons) leveraged 
to distribute control 
information, and reduce the 
frequency of beacon broadcast 
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3 Proposed Model Design 


In this work, a context-aware routing and forwarding model designed to take 
mobility prediction in consideration, is proposed. The main goal is to forward 
packets to specific nodes which trajectories are known, and avoid broadcast 
whenever possible. In-network content caching is also explored by means of an 
process initiated by the RSU, in which all nodes along the forwarding path, from 
the RSU to the content source, share their list of cached content. 

The context-awareness is firstly based on the type of communication (i.e., 
pull- or push-based). Based on the classification adapted from [5], four classes 
of VANET applications are considered: active safety, efficiency, comfort and 
interactive-entertainment. These classes are grouped by communication model 
(i.e., V2I or V2V), region of interest (i.e., small, medium or large), delay sensi- 
tivity (i.e., delay tolerant /sensitive), frequency of message transmission, traffic 
volume, and content validity period. Communication requirements for each of 
the aforementioned grouping classes are different, thus requiring different rout- 
ing/forwarding mechanisms. 


3.1 Main Modifications to the NDN Structures 


The wireless channel is broadcast-based by nature, i.e., each node within the 
communication range of the sender node will overhear the sent packets. This 
characteristic can be exploited to reduce the need of broadcast in updating 
the list of neighbors, as it is done by several state-of-the-art studies, and to 
learn about new content sources. In order to take advantage of the overheard 
packets, all NDN packets will be extended to carry additional (optional) control 
information (i.e., the node mobility status information, mentioned earlier). The 
inclusion of this information is optional in the sense that whenever necessary, the 
model can fallback to the normal NDN operational mode, flooding the network to 
discover new neighbors and new content sources. This information is appended to 
all (Interest and Data) NDNLP packet header, see Fig. la, instead of modifying 
the network layer packet header. 

In wired NDN, when a solicited Data is received, PIT is searched in order to 
find the Face where to forward this Data to. The Face unambiguously identifies 
the next hop where the packet should be forwarded to. VANET is essentially 
based on wireless communications. In this network when a node sends a given 
packet, the packet is overheard by all nodes within the sender’s communication 
range. Thus, the Face-based communication mechanism does not work for wire- 
less channel. To overcome this, and be able to identify the node where to forward 
the packet to, the ID of the node is included in the corresponding PIT entry, 
alongside the Face, see Fig. 1b. A good candidate for node identification is the 
Mac address of the Faces (i.e., net devices) installed on these nodes. Some repre- 
sentative studies that use MAC addresses to identify nodes, include [9, 13, 14,17]. 

Similarly, FIB is extended with the NMSI, see Fig. 1b, that will lately be 
updated by a mobility prediction algorithm - a topic for future work. 

Figure 1 shows how the aforementioned three structures are modified. 
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LpPacket 

IncomingFaceld 

NMSI In-record 

Data/Interest Face NextHop 

packet By Face 
Interest Cost 
Nodeld NMSI 


(a) Inclusion of NMSI into (b) Inclusion of Node ID (c) Inclusion of NMSI into 
LpPacket header into PIT’s In-Record field | FIB’s NextHop field 


Fig. 1. Modifications to the NDN structures 


A new table - Cached Content Table (CCT) - is added to the NDN structure. 
The table is used in each node to catalog all cached Data, complementing the 
CS functionality. Each CCT entry is composed by the Data prefix and the node 
mobility status information. The node mobility status information refers to the 
status of the last node from where the packet was received. 

Given that NDN is designed for wired networks, besides the aforementioned 
modifications and to complement them, a link adaptation layer between the net- 
work layer (NDN) and the Data-link layer is developed, in order to accommodate 
the specificities of VANET. This adaptation layer is responsible for building and 
maintaining the list of neighbor, from all the overheard packets, as explained 
latter. In addition, the NMSI is attached to the outgoing packets at this layer. 


3.2 Content Discovery Mechanism 


When FIB in each node is empty, or when new content still not registered in 
FIB is solicited, a content discovery process takes place. This process populates 
FIB differently for rural and urban environments. 


Discovery in Urban Environments. Urban environments are characterized 
by static infrastructures, which can be the Road-side Unit (RSU) or Base Sta- 
tions (BS). The geographical location of these nodes are persistently stored in 
the FIB of all nodes in the network. 

Periodically, each RSU broadcasts a beacon message to query new content 
sources. On response to this beacon, the content sources advertise their contents 
via a special packet - sData, which is sent back to the RSU. sData is destined 
to the RSU but all the intermediate nodes receiving this packet register the 
announced prefix and the list of cached content from the previous node, and 
then append their own list of cached contents. That is, the in-network caching 
is leveraged but, instead of allowing all vehicles to broadcast their list of cached 
content, as proposed in [6], for instance, a request-based mechanism from the 
RSU is adopted and only the vehicles on the path from the content source to 
the RSU will be allowed to share their list of cached contents. 
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The periodicity of the RSU beacon broadcast will be defined based on the 
periodicity of the updates performed by the mobility prediction algorithm. This 
way, the frequency of broadcast will be fixed lower than the state-of-the-art 
solutions. 


Discovery in Rural Environments. Rural and other environments not 
equipped with static nodes, can not efficiently benefit from the mechanism pro- 
posed for the urban ones. In these environments a content source producing 
a new content will immediately announce this content. Additionally, content 
sources announce content whenever a predefined timer elapses. The timer is set 
to an ideal value resulting from the experiments, and it will be based on the 
periodicity of the RSU beacon broadcast. For instance, the timer can be equal 
to 3 times de periodicity of beacon broadcast. If a packet form RSU is not 
received during 3 times the fixed periodicity of RSU broadcast, vehicles in rural 
environment announce their prefixes. 


3.3 Forwarding Strategy 


For packet forwarding, NDN forwarding plane uses the information stored in FIB. 
However, differently form TCP/IP networks, NDN forwarding plane is stateful 
and intelligent, in the sense that it is able to make per node decisions about 
the preference and the usage of existing routes based on their performance and 
status. Although NDN-based local networks can work without a routing protocol 
given the intelligence of the forwarding plane - which can detect and recover 
by itself from any situation of network failure [29] - the need for routing is 
exhaustively investigated and justified in [25]. In our design, depending on the 
message type, the forwarding plane can process the received message without 
using routing, as explained in the next sections. 

The following sections present incoming Data and incoming Interest process- 
ing in each NDN node. 


Processing for Incoming Data. As presented in Algorithm 1, on packet recep- 
tion the model verifies if it is a solicited Data or not. Unsolicited Data can be 
either an overheard pull-based or push-based message. The push-based messages 
belongs to the safety/emergency class, and in this case the Data is broadcasted 
after its validity is verified. This type of messages is not processed in PIT or 
FIB, and is not stored in cache. The reasoning behind this, is the fact that these 
messages are urgent and short-lived. 

Efficiency related messages are generally solicited and also short-lived, 
therefore are broadcasted and not stored in cache. Comfort and Interactive- 
entertainment related messages are processed as usual in NDN. In addition, 
we propose the registration of the received Data in the CCT. This way, future 
requests for the same Data can be redirected to the nodes holding the Data, 
based on the information held by this table. 
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Other unsolicited Data, but not push-based, is stored in cache only if it is 
classified as long-lived. Otherwise, the Data is discarded. 


Algorithm 1: Incoming Data processing 


Input : destId: Next hop node ID; 
NMSI: Node Mobility Status Information 


1 if (Push-based Data) then 

2 if (Data still valid) then 

3 | Broadcast (Data) 

4 else 

5 | Discard_Data () 

6 else 

7 if (Corresponding Interest exists in PIT) then 
8 if (Efficiency-related Data) then 

9 | Broadcast (Data) 

10 else 

11 Forward (Data, destId) 

12 Add_To_CS (Data) 

13 | Update.CCT (Data-Prefix, NMSI) 
14 else 

15 if (Long-lived Data) then 

16 Add_To_CS (Data) 

17 | Update_-CCT (Data-Prefix, NMSI) 
18 else 

19 | Discard_Data () 


We propose a scheme where all safety-related content, which is also push- 
based, will be based on the following prefix: 


/push-based/info-type/sender-ID /sender-geo-coordinates/ 


The first component is used to identify the type of content as being push- 
based, and destined to broadcast. There can be different types of push-based con- 
tent. For instance, besides the active safety content there is the content related 
to road efficiency. The latter is longer-lived than the former, thus, they can be 
treated differently. This is the reasoning behind the distinction provided by the 
second component. The third component is the identification of the sender, and 
the last component is the geographical location of the sender. It is important 
to have the geographical coordinates of the sender, given that safety content is 
location-dependent. The broadcast information is only important a hundreds of 
meters away from the location where it has been sent (i.e., it has a medium 
region of interest), therefore the model fixes the hop limit to 1. 
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Processing for Incoming Interest. When an Interest is received, a CS lookup 
procedure takes place like in the standard NDN. When no corresponding Data is 
found in CS, a PIT lookup procedure is performed. If a PIT entry exists but from 
a different incoming Face, the new request is aggregated to the existing pending 
Interest. If no pending Interest is found, the new Interest is added to PIT. If the 
Interest is related to the efficiency application class, then it is broadcasted, as it 
deals with the delay-sensitive content. 

If the received packet is related to the comfort or interactive-entertainment 
application class, then a FIB match is performed. In case that the Interest 
matches a FIB entry, it is forwarded using the predicted routes, as presented 
in Sect. 3.4. Otherwise, its corresponding content still needs to be discovered. 
Apart the mechanism presented in Sect. 3.2, when a new content discovery is to 
be performed, the following procedure takes place. 

In urban environments and for comfort and interactive-entertainment appli- 
cations classes, the model follows a mechanism similar to the proposed in [9], 
where the Interest is forwarded towards the RSU which is supposed to have a 
broader knowledge about other existing routes. However, differently from that 
study, our solution does not awaits the creation of FIB entry, it broadcasts the 
Interest. Before the Interest is broadcasted however, a last feature is explored 
- the usage of known cached contents from other nodes. In this procedure, a 
CCT lookup is performed and when a match is found the Interest is forwarded 
accordingly. When no match is found, the Interest is broadcasted. 

Algorithm 2 describes the intermediate node processing for an incoming 
Interest. 


3.4 Routing Protocol 


Routing protocols are responsible for initiating and maintaining routes to facil- 
itate multi-hop communication. Routing populates and keeps FIB updated. 

Several forwarding proposals for NDN-based VANET are based on flooding 
(blind flooding), and include a particular scheme to control the rebroadcast, e.g., 
resorting to distances to the content provider, and timers to defer the subsequent 
broadcast. This mechanism have the advantage of simplicity, does not require 
the knowledge about the neighbor nodes, and does not require the usage of FIB. 
However, it generally results in problems such as the traffic congestion, packet 
collisions, or delivery delays due to the broadcast storm problem [7, 19,22]. 

A relatively more intelligent alternative apart the broadcast and the use of 
defer timers and distances, is the identification and selection of possible relay 
nodes by using unicast communications [2,3,9, 11, 12,17]. This approach requires 
an updated knowledge of the node’s neighbors geographical location, from which 
the better relay between the current node and the content source can be selected. 
This mechanism can reduce the traffic congestion, collision and delivery delays, 
as demonstrated in [1], for specific case of MANET. However, some kind of bea- 
con broadcast is still necessary to maintain an updated list of the neighborhood, 
as used by the majority of state-of-the-art proposals, see Table 1. We claim, as 
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Algorithm 2: Incoming Interest processing 


Input : previd: Previous node ID; 
destId: Next hop node ID; 


1 if (Data exists in CS) then 

2 | ReturnToRequester (Data, destId) 

3 else 

4 if (Interest exists in PIT) then 

5 | Aggregate (Interest) 

6 else 

7 AddToPITEntry (Interest, prevId) 

8 if (Efficiency-related Interest) then 

9 | Broadcast (Interest) 
10 else 
11 if (Interest matches FIB entry) then 
12 | Forward (Interest, destId) 

13 else 

14 if (Data-prefix in CCT) then 

15 | Forward (Interest, destId) 

16 else 

17 if Urban scenario then 

18 E Forward_To_RSU (Interest, destId) 
19 else 
20 L Broadcast (Interest) 


a hypothesis, that this issue can be mitigated by using some alternative mecha- 
nisms such as the mobility prediction and/or by leveraging the overheard packets 
to extract the neighborhood-related information (see Sect. 3.1), as proposed in 
this work. 

Whenever an intermediate good candidate for relay exists, it will be selected 
to forward the messages. 

Algorithm 3 describes the routing process in place on vehicles and on the 
RSU. As explained in Sect. 3.2, in urban environments the RSU broadcast beacon 
messages for content discovery. On response of the beacon message, or on a self 
initiated content announcement from the content source in rural environment, 
the content sources send back a special Data (sData) that carries an Prefix 
Announcement (PA). If a packet holding the prefix announcement is received in 
a node, a FIB entry is created or updated. As referred earlier, besides the PA, 
FIB will also include the NMSI which for this case is related to the content source 
(NMSI-CS). If the received Data packet is unsolicited and does not include a PA, 
then a data prefix is extracted from this new packet and a FIB entry is created. 
In this latter case, the NMSI is related to the intermediate node from which the 
packet was received (NMSI-IN). 
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A periodic time triggered mobility prediction process takes place in each 
node. Neighbors are mobile nodes and the model should avoid beacon broadcast 
whenever possible. Therefore, a Short-Term Mobility Prediction (STMPA) to 
track and update the current location of a neighbor is used. Additionally, a Long- 
Term Mobility Prediction (LTMPA) - deployed only on static nodes, example 
the RSU - is used to track the trajectory of vehicles. 

Routes in FIB are periodically updated by: 1) the mobility prediction algo- 
rithm; 2) the updates from the RSU periodic beacon broadcast process; and 3) 
from the control information extracted from all overheard packets, in each node. 


Algorithm 3: Routing process 

Input : PA; NMSI-CS; NMSI-IN; DP: Data-Prefiz; 
if (New packet received) then 

if (packet holds a Prefix Announcement) then 
CreateOrUpdateFIB (PA, NMSI-CS) 


else 


ae on eR 


CreateOrUpdateFIB (DP, NMSI-IN) 


6 ExtractNeighborhoodInfo () 
7 | UpdateListNeighbors (NMSI-IN) 


// Time triggered mobility prediction 

f (processing for vehicles) then 

9 UpdateListNeighbors (NMSIL-IN, STMPA) 
10 UpdateF IBNext-Hops (NMSI-IN, STMPA) 


11 else if (processing for RSU) then 
12 | UpdateF IBNext-Hops (NMSI-CS, LTMPA) 


me 


4 Security Considerations 


IP-based networks provide security by creating and securing the point-to-point 
channel between the hosts. That is, instead of the packets, the communicating 
channel is secured. NDN, on the other hand, have security built into the network 
layer. Each content producer includes its signature and other authentication 
information in each Data packet before sending it through the network. That 
is, protection and trust are embedded in the Data packet [29]. The consumer 
receiving the Data verifies and accepts the Data if the signature is authentic. 
The Data security and integrity in the proposed model relays on this mechanism. 
Our model allows intermediate nodes to extract the list of cached content of the 
previous node, from the received Data. When an intermediate node receives a 
Data, it copies the received Data to extract the aforementioned list, then it 
includes its own list. It encapsulates the copied Data including the list of cached 
content in a new Data packet, and then it signs and authenticate the packet 
before sending it back into the network. By allowing nodes to modify the Data 
packets in order to include their list of cached content, our model is prone to 
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attacks, where a malicious node can mislead the network by injecting false pair 
of PA and NMSI, redirecting the network traffic. As mentioned, the solution 
adopted in this work is to force each node that modifies the received Data packet 
to sign and authenticate the packet after the inclusion of its own list of cached 
content, encapsulating the Data from the previous node. We highlight that only 
the Data sent by content source in response of the RSU periodic broadcast can 
be modified as described above in this section. 


5 Summary and Discussion of Contributions 


The model is currently being evaluated as first step, by means of simulation. 
ndnSIM and Simulation of Urban MObility (SUMO) were selected to be used 
for simulations. The simulation results are extracted and statistically analyzed, 
using either MATLAB or R environment. The results are not included in the 
present paper, and will be presented in future. Our intention here is to present 
the idea under development. 

In summary, the changes proposed to the NDN structure are: a) Inclusion 
of a link adaptation layer: to adapt the NDN architecture from its wired nature 
to wireless and ad hoc, the base for vehicular communications. This layer is 
responsible on maintaining the neighborhood list, and to piggyback NMSI to 
the outgoing packets; b) the CCT: to allow to catalog cached content of other 
nodes; c) inclusion of nodes ID: to allow the identification of wireless nodes, 
which are not well identified by the Face system; d) the node mobility status 
information (NMSI): included into the NDNLP packet headers, used for mobility 
tracking; e) fields included in PIT and FIB: used in parallel with NMSI and node 
ID, to forward messages to specific nodes, to avoid the need of flooding. With 
this proposal we expect an overall improved performance of VANET, at a cost 
of an increased computational overhead due to the added complexity for the 
processing of all overheard packets, which is performed to extract neighborhood 
information and predict the location and the nodes’s trajectories. 
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Abstract. In geographic routing protocols for flying Ad hoc networks (FANETs), 
unmanned aerial vehicles need to maintain real-time positions of their one-hop 
neighbor nodes to make effective routing decisions. Periodic broadcasting of Hello 
packets that involve real-time geographic position coordinates of nodes itself is a 
popular method to maintain neighbor information table. However, the traditional 
periodic Hello mechanism ignores node mobility, network connectivity and traf- 
fic type, thus causes temporary communication blindness (TCB). To address this 
problem, an adaptive Hello mechanism (AHM) for geographic routing is pro- 
posed in this paper. The Hello period of working nodes is calculated according 
to the real-time relative characteristic values between the node and its upstream 
node, and the Hello period of idle nodes adopts a fixed value according to the 
movement characteristics relative to all neighbor nodes. Moreover, the AHM is 
integrated into the widely-used greedy perimeter stateless routing (GPSR) proto- 
col, and is compared with the original GPSR in simulation. The results show that 
AHM significantly mitigates the TCB problem and gains a high packet successful 
transmission rate without producing more routing overhead. 


Keywords: Flying Ad hoc network - Geographic routing - Adaptive Hello 
mechanism - Temporary communication blindness - Successful transmission rate 


1 Introduction 


Recently, Unmanned Aerial Vehicles (UAVs) with the characteristic of low cost, strong 
robustness, various applications etc., have become a high-tech with rapid growth, and 
attracted much attention in both military and civil fields. Especially, the multi-UAV 
system, which has the advantages of good scalability, high invulnerability and high 
efficiency, etc., can play an important role in multiple military operations, such as bat- 
tlefield reconnaissance, border patrolling, communication relay, precision strike, etc. 
A flexible, dynamic, distributed, and robust communication network for multi-UAV is 
the basis and premise for task coordination between UAVs. Flying Ad hoc Network 
(FANET) is the core technology for constructing UAV communication networks [1, 2]. 
Not relying on prebuilt communication infrastructures, it can transmit multiple kinds 
of information between UAVs, such as control instruction, situational awareness, and 
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reconnaissance intelligence, etc., through aeronautical wireless channel, thus forming 
a multi-hop, self-organized, temporary and distributed network. Several key technolo- 
gies, such as dynamic topology control and routing protocol, etc., are used in FANET to 
achieve the interconnection of multiple UAVs [3]. It can not only extend the communi- 
cation coverage, provide high-reliability and high-robustness communication links, but 
also improve the efficiency of task execution for UAVs. 

FANET is a special form of mobile Ad hoc network (MANET), and routing protocol 
is responsible for discovering one or more paths and delivering packets from source to 
destination through a multi-hop path [4]. Till now, a large number of routing protocols 
have been used in FANETs, such as, DSDV, OLSR, DSR, AODV, TORA, and so on [5, 
6]. Among these routing protocols, geographic routing protocols have received much 
attention due to their substantial advantages as compared to topology based routing 
protocols [7—10]. Geographic routing protocols have been shown to be efficient with 
accurate position information in static topology networks. However, in situations where 
nodes are mobile, the local topology rarely remains static. Hence, it is necessary that 
each node periodically broadcasts its up-dated location information to all of its neigh- 
bors. These position update packets are usually referred to as Hello information. In most 
geographic routing protocols, Hello packets are broadcast periodically for maintaining 
a neighbor table at each node. Periodic Hello mechanism has several drawbacks: (1) In 
the mobile scenarios, fixed period Hello mechanism will bring out temporary communi- 
cation blindness (TCB) problem and will cause massive data packets loss; (2) Reception 
and processing of Hello packets consumes energy which is wasteful in idle nodes; (3) 
Hello packets may collide with data packets. 

The periodic Hello mechanism for MANETs stems from the Hello protocol in OSPF 
version 2 and is adopted by most geographic routing protocols. Chakeres et al. in [11] 
studied Hello protocol in 802.11 ad-hoc networks and suggested that the lifetime for 
which a neighbor entry should be 2 times the Hello interval for optimal throughput in 
mobile scenarios. Han et al. in [12] proposed an adaptive Hello scheme to save energy 
by suppressing unnecessary Hello information. Mahmud et al. in [13] also proposed an 
energy efficient Hello scheme based on some mission-related information to save energy 
for FANET routing protocols. Hernandez-Cons et al. in [14] proposed an adaptive Hello 
mechanism based on the link change rate. Park et al. in [15] proposed a Hello mechanism 
where the Hello interval is determined by node speed and transmission range. 

In this paper, we propose a novel adaptive Hello mechanism (AHM) for geographic 
routing protocols to mitigate the drawbacks of the periodic Hello mechanism in FANETs. 
In the AHM, the Hello period of working nodes is calculated according to the real-time 
relative characteristic values between the node and its upstream node, and the Hello 
period of idle nodes adopts a fixed value according to the movement characteristics 
relative to all neighbor nodes. Furthermore, we integrate the AHM into the widely-used 
greedy perimeter stateless routing protocol (GPSR) [16] to verify its performance. 

The rest of paper is organized as follows. In Sect. 2, we briefly describe the TCB 
problem. A detailed description of the AHM is provided in Sect. 3. The performance of 
AHM protocol is verified and analyzed through simulation in Sect. 4. Finally, Sect. 5 
concludes the paper. 
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2 Description of TCB 


In geographic routing protocols, when a source node needs to send a packet to a destina- 
tion, it searches its neighbor table for a node that is closest to the destination. However, 
the selected node is often close to its communication boundary. The communication link 
between them may easily break down due to the movement of nodes, and the link stabil- 
ity is poor. Meanwhile, the upstream node does not recognize the situation timely that 
the link is broken. Thus, packets transmitted on the link will be lost. This phenomenon is 
defined as the TCB problem, and it is caused by high node dynamics, long Hello period 
and short node transmission range. 


destination 


~— 


Fig. 1. The TCB problem. 


The TCB is shown in Fig. 1. Hello period is assumed to set as 4s in geographic routing 
protocol. The upstream node i selects node j as the next hop node from its neighbor table 
at time 0 s, for it is the closest to the destination in its neighbor nodes. However, due to 
the movement of node i and node j, node j may move out from the transmission range of 
node iż at time 2 s. If node i forwards a packet to node j after time 2 s, node j cannot receive 
the packet. And it is not recognized by node i at the time of forwarding the packet. In 
the periodic Hello mechanism, the lifetime of neighbor nodes in neighbor table is often 
set to be 2 times of the Hello period. Thus, node j will be removed from the neighbor 
table of node i at time 8s. During this period, TCB will lead to packet loss and affect the 
performance of the geographic routing protocol seriously. 


3 Adaptive Hello Mechanism 


3.1 Network Model 


In this paper, FANET is modeled as a graph G(V, E), where V is the set of nodes and £ is 
the set of full-duplex, directed communication links. F is changing over time when nodes 
move. Each node has at least one transmitter and one receiver, and is represented by a 
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unique identifier. Let N (i) denote the set of neighbor nodes of node i. In addition, among 
the numerous characteristic variables, we assume that the characteristics of FANET are 
determined by the following factors: location, velocity, direction and transmission range 
of each UAV. Thus, a set of characteristic variables about any node 7 is denoted as ai, 


aj = (xi; Yi)» Vi» 6, Ri) (1) 


Where (xi iv ), vi, and 6/ represents location, velocity and direction of node i at time t 
respectively, and R; represents the transmission range of node i. 

Node j is a neighbor node of node i, and ai; is used to represent characteristic value 
of node j relative to node i. Hence, ai, is the function of relative location, relative velocity 
and transmission range of node j and node i, namely, 


aly = (x yy). Vi Oj Ri Ri) 2 


Where (x) vi) = (x, y ) — (x£, yi ) represents the relative location vector between 


node j and node i at time t. vij and Oi; represents the relative velocity and the relative 
direction between node j and node i at time t, respectively. 
In this paper, we make the following assumptions: 


(1) The transmission range of all nodes is equal. For any i, j € Y (V), Ri = Rj = R; 

(2) Each node i knows its position (xi yi ) , which can be acquired through GPS device 
or other types of positioning service; 

(3) Each node in FANET makes random motion with a velocity valued randomly at 
[0, Vmax], and a direction valued randomly at [0, 27 ], and the velocity and direction 
are independent of each other. That is 


v ~ U[0, Vmax], p(v) = , v € [0, Vmax] (3) 
Vmax 

6 ~ U[0, 2], p(@) = 2,6 € [0, 27] (4) 
20 

P(v, 8) = p(v—)p@) (5) 


(4) Atis defined as the Hello period of the Hello mechanism. We assume that in Eq. (3) 
to Eq. (5), v and 0 are constant values in the short time interval At. 


3.2 Theoretical Derivation of Adaptive Hello Period 


According to the above assumptions, node j is a neighbor node of node i and makes 
movement relative to node i. The departure probability P is defined as the probability 
that node j moves out of the transmission range of node i after At. Intuitively, P is a 
monotonous increasing function of At. One Hello period At is corresponding to a certain 
probability 1 — P within which node will stay in the transmission range of node i. So we 
can select a certain value of P and correspondingly calculate the value of At. If the value 


A Novel Adaptive Hello Mechanism Based Geographic 37 


of P is smaller, the value of At is smaller correspondingly, and the TCB problem will 
be mitigated. If P is 0, the TCB problem will be eliminated. We select a certain value of 
P (defined as the threshold Po of departure probability) and calculate the variable Hello 
period At as follows. 

As shown in Fig. 2, it is easy to know that the characteristic value of node j relative 
to node i at time fo is ap, namely 


ay = (C2 99). 1.2?) © 


Fig. 2. Characteristic value ap of node j relative to node i at time tọ. 


The position of node j after At can be expressed as 
(xf + vy At cos op, yp + vy At sin a! 
So the condition that node j moves out from the transmission range of node i can be 
expressed as 


to OA g" to 0A z 90 4 > R? 7 
Xj + Vi At cos 6; + AY, + vs Arse: ) z (7) 


It can be derived from Eq. (7) that 


At > i, (8) 
vij 
Where 
vi = xy cos 6)? + yy sin a (9) 
2 2 2 
(a) = (ay 60) w 


Where ry represents the distance between node j and node i at time tọ. 
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From Eq. (8) to (10), At is a function of (x? yo Yi ae Vere and op . Given the relative 


position (xf ij p) of the two nodes and the distributed density of vo and an, and with the 


derivation of the distributed density p(At) of At, the threshold Po can be x Therefore, 
it has 


At 
p(At) = f p(t)dt = Po (11) 


The value of Hello period At can be obtained according to Eq. (11). However, it is 
very difficult to derive the value of At by this method, and the following method can be 
used to replace the above one. 

The departure probability p(At) that node j moves out of the transmission range of 
node i after At can be expressed as 


p(At) = | p(v, 0)dvd0 = f pvp(@)dvd0 (12) 
Q Q 


Where Q represents the area where node j will appear outside the transmission range of 
node i. 

The area where node j will appear after time A‘ is a circle with radius / = vax: At, 
in which vihax represents the maximal relative velocity between node j and node i. 
According to the relationship between /, R and r, there are three circumstances, as 
shown in Fig. 3. 


(a) /<R-r (b) R-r</l<R+r (c) />R+r 


Fig. 3. Possible locations of node j after At. 


(1) As shown in Fig. 3(a), if l < R — r, it can be obtained that p(At) = 
(2) As shown in Fig. 3(b), if R—r < l < R +r, the relative velocity v should satisfies 
that 


R= R i 
< T sv s H < vha (13) 


(3) 
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Here, we define v- = max(0, Rr) and v4 = min(vhax, Se Ar Rer), Therefore, 


V4 ov) 
p(At) = f pv) f p(6)d0dy (14) 


Where (v) means the maximal direction which node j can move out of the 
transmission range of node i, and it can be expressed as 


(15) 


vAN? +r? — R? 
2rvAt 


div) = xT- aso 


As shown in Fig. 3(c), if l > R + r, when v is valued at [ St. vax |; node j can 


move out of the transmission range of node i with any direction, and it has 


vibax 27 
p(At) = i po) [ p(0)d0dv (16) 


Based on the above analysis, the Hello period At can be calculated from Eq. (11). 
Figure 4 shows the numerical results of departure probability P as a function of 
time Ar. In Fig. 4, the relative velocity vj is uniformly distributed on [300, 340] 
m/s, the transmission radius R is 200 km, and the distance r between two nodes is 
180 km and 150 km, respectively. It can be seen that P increases with the increase 
of At, and when the distance between two nodes is ir ay ane faster P rises with 
the increase of At. When Po is 0, At will be less tha 
departure probability P that a node j moves out of the transmission range of node i 
is 0. In this case, the TCB problem will not occur and packets will not be lost. 


0.4 


distance = 180000m —+— 
distance = 150000m_—*— 


Departure Probability P 

o o o 
o b o N o w 
B a iv a w a 


2 
o 
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Fig. 4. Departure probability P as a function of time At. 


In FANETs, if node i have K = num(N(i)) neighbor nodes, the Hello period 
of node i relative to all nodes in N (i) can be derived as At, (n = 1, 2,3,--- , K) 
using the above method. 
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3.3 Description of Adaptive Hello Mechanism 


The overall flow of the proposed AHM in this paper is shown in Fig. 5. It is mainly 
composed of three modules: node state differentiation, calculation of Hello period for 
working nodes, and calculation of Hello period for idle nodes. 


N 
Y 


Calculate Hello 
period according to 
the characteristic 
value relative to its 
upstream node 


Calculate Hello 
period according to 
the characteristic 
value relative to all 
of its neighbor nodes 


Time schedule EE 


4 


Send Hello packet 


Fig. 5. Flow of AHM. 


The first module differentiates node state. When a small percent of nodes in a large 
FANET are involved in packet forwarding, channel resource spent by all of its neighbor 
nodes in maintaining their positions is a huge waste. To address this problem, we divide 
all nodes into working nodes and idle nodes. Working nodes are packet forwarding 
nodes, which are participating in packet transmission. The other nodes are idle nodes, 
which are not participating in packet transmission. However, with the change of tasks 
or network topology, the state of nodes may change at any time. 

The second module is calculation of Hello period for working node. For working 
nodes, they should send Hello packets timely to its upstream node to provide accurate 
position for routing decision. Therefore, the Hello period of working nodes should 
be calculated according to the relative characteristic values between the node and its 
upstream node using the method described in Part B of Sect. 3. And the Hello period is 
updated timely according to the changes of their relative motion. 

The third module is calculation of Hello period for idle nodes. For an idle node, 
it should get the characteristic values relative to all of its neighbor nodes firstly, and 
then calculate the Hello period respectively. Finally, its Hello period At is obtained by 
At = + sa Atn. In order to simplify the calculation and save energy, the idle node 
can adopt a fixed Hello period, which can be set longer than that in GPSR protocol. 
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4 Simulations 


In this paper, we have incorporated the AHM to the traditional GPSR protocol, which is 
labeled as AGGR. In this section, the effectiveness of AHM will be verified by the com- 
parison of simulations for AGGR and GPSR protocol which adopted the Hello scheme 
of fixed period (10s). The simulations are conducted in NS-2. The main simulation 
parameters are set as in Table 1. 


Table 1. Simulation parameters. 


Parameter Value Parameter Value 

Number of nodes 50 Simulation scenario | 500 x 500 x 20km? 

Transmission range of |200 km Simulation time 3600 s 

nodes 

Packet type CBR 512 bits | Packet rate 10 packets/s 

Channel bandwidth 2 Mbit/s Node velocity [200,280], [280,360], 
[360,440], [440,520], 
[520,600], [600,680] m/s 


Instant throughput of GPSR and AGGR protocol under different node velocity is 
shown in Fig. 6. As can be seen, GPSR protocol using the periodic Hello mechanism 
causes the TCB problem. With the increase of node velocity, the network dynamics 
increases, and the packet loss caused by TCB becomes more serious. However, the AGGR 
protocol using the AHM reduces TCB effectively, and gets a high instant throughput. 

Delivery success ratio, control overhead, average throughput and transmission delay 
of GPSR and AGGR protocol are shown from Fig. 7, 8, 9 and Fig. 10, respectively. 
As can be seen from Fig. 7, the packet successful transmission rate decreases with the 
increase of node velocity in the GPSR protocol using periodic Hello mechanism, but 
it is less affected by the motion of nodes in the AGGR protocol. It indicates that the 
AGGR protocol has good adaptability to dynamic network topology and can be applied 
to highly-dynamic FANETs. As shown in Fig. 8, in the GPSR protocol, due to the 
increase of node velocity, the total number of packets successful transmitted is reduced, 
while the number of Hello packets is basically unchanged, resulting in an increase of 
the control overhead. In the AGGR protocol, the Hello period decreases adaptively with 
the increase of velocity of relative motion between nodes, and the number of Hello 
packets increases, resulting in an increase of control overhead. But it is still lower than 
that in GPSR. Figure 9 shows that after adopting the AHM, the neighbor node table is 
accurately constructed and maintained, which can reflect the changes of local topology, 
improve the sensitivity to link breakages, and reduce packet loss. Figure 10 shows that 
due to the accurate construction of neighbor table, the optimal node can be chosen for 
the next hop, and the transmission delay is also reduced. 
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Fig. 6. Instant throughput of GPSR and AGGR with different velocities. 
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Fig. 9. Average throughput of GPSR and AGGR. 
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Conclusions 


In this paper, in order to address the TCB problem in geographic routing protocols, a 
novel AHM is proposed for FANETs. The AHM divides all nodes into working nodes and 
idle nodes, and nodes in different states adopt different methods for the Hello period. 
It can eliminate the drawbacks of the periodic Hello scheme and gain a high packet 
successful transmission rate without causing more routing overhead. Simulation results 
show that it improves the accuracy and real-time performance of the neighbor table, 
provides a reliable basis for geographic routing protocols, and is scalable and applicable 
to FANETs. 
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Abstract. Software defined networks (SDN) offer a novel network resource man- 
agement framework which addresses network resources management challenges. 
It addresses the spectrum scarcity problem by employing efficient and dynamic 
spectrum access. Cognitive radio networks (CRN) enables secondary users to 
coexist with licensed users in non-interfering manner. Unfortunately, SDN is sus- 
ceptible to security threats. We integrate a SDN and a CRN and evaluate the denial 
of service (DoS) in the integrated environment. The DoS attack is a threat to SDN 
based networks. The DoS attack overloads the controller and floods the switch 
Content Addressable Memory (CAM tables), which degrades the performance of 
the network. We evaluate the effectiveness of the SDN-Guard and the Jamming 
Attack in addressing the effects of the DoS. 

SDN-Guard is designed to minimize the overloading of the controller, and 
the flow tables while managing the flow routes dynamically, timeouts of entry 
rule and to aggregate flow rule entries given the probability of the threat of the 
flow which is determined by an intrusion detection system (IDS). IDS is used to 
detect and control the jamming attack. It is a set of procedures and systems that 
are able to identify intrusions in a system. This study evaluates the effects of DoS 
attack on software defined cognitive radio networks. The study observed that the 
SDN-Guard detects the DoS attack earlier and it reduces the average round trip 
time and the average processing time compared to the Jamming Attack Defender. 


Keywords: Software defined networks - Cognitive radio network - Denial of 
service - Intrusion detection system 


1 Introduction 


Software Defined Network (SDN) framework addresses several network resources man- 
agement challenges. The Cognitive Radio Networks (CRN) on the other hand, is designed 
to address the spectrum scarcity by employing efficient and dynamic spectrum access 
(DSA). CRN provides secondary users with the ability to coexist with primary users 
in non-interfering mode. In this study, we integrate the two networks and evaluate the 
effects of Denial of Service attack (DoS) in the integrated environment - Software defined 
Cognitive Radio Network (SD-CRN). 
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A DoS is any type of attack which overwhelms a server and prevents it from servicing 
its clients. DoS is a challenge in the Internet and other forms of networks. This attack 
is also a challenge in the SD-CRN. It can overload the controller and overwhelms its 
processing capacity and floods the switch CAM tables and degrade the performance 
of the network [1]. This result in loss of revenue for online businesses. Reverse proxy 
is one effective defense mechanics which counters the DoS [2]. However, it requires 
complementary schemes to improve its effectiveness [2]. More robust approaches are 
required to mitigate the effects of the DDoS attacks. 

A DoS attack can cause the network to be unstable, unusable by sending data in 
special patterns or by flooding the network with packets. Remote services can be over- 
whelmed by a stream of packets from attackers or compromised nodes. However, the 
effects of DoS can be mitigated in SD-CRN. 

The study evaluates the effects of DoS attacks in SD-CRN. The DoS is simulated 
in SD-CRN environment and two countermeasures are evaluated, the Jamming attack 
Defender and the SDN-Guard. The effectiveness of these countermeasures is evaluated 
and comparative results are presented. The following metrics are used for comparison 
purposes: the controller workload, bandwidth of the control plane, Flow table, bandwidth 
of the network, Average processing time, Round trip time, and Signal strength. 


2 Related Work 


Given the significance of 5G enabling technologies such as the SD-CRN, there is need 
to address the security challenges of such technologies. This Section presents related 
work and evaluates DoS schemes in SD-CRN. These issues are discussed in [1] and [2]. 
Nonetheless, we are focus on DoS attacks in SD-CRN in this study. 

In [3], a scheme is proposed to mitigate DoS in SDN using a Path Randomization 
technique. The study focussed on minimizing the effects of DoS on flow tables, which 
can degrade the network switches. The authors used an algorithm to aggregate flows that 
produced a positive outcome. 

In [4], the effects of DoS on network performance is discussed. The study shows how 
the attack affects parameters such as the bandwidth of the control plane (controller-switch 
channel) and latency. The impact on the performance of controller was also analysed. 
Unfortunately, these issues were not solved. 

In addition, a scheme was proposed in [5], the FlowRanger which detects and 
mitigates the effects of DoS. While the FlowRanger is consist of the following three 
components: 


(1) The trust management element which computes a trust value based on its origin for 
each packet-in message. 

(2) The element of the queuing management which stores the message in the priority 
queue which corresponds to its trust value and 

(3) The message scheduling component which uses a weighted Round Robin strategy 
to process messages. 


In [6], a scheme was proposed to protect SDN from the distributed IP filtering DoS 
attacks. The proposed scheme analyses user behaviour and assigns flow timeouts based 
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on user behaviour. The flows of malicious users were assigned short timeouts while 
flows of trusted ones were assigned long timeouts. This approach requires malicious 
traffic entries to be deleted quickly from CAM table’s switches. Nevertheless, if the flow 
length is greater than the fixed timeout, this may result in new packet-in messages being 
transmitted to the controller. This approach also eliminates malicious traffic, which can 
pose problems for false-positive flows. 

A scheme in [7] leverages SDN’s hierarchical strategy and programmability and 
proposes a self-management scheme involving an ISP and its clients to address DoS. 
The ISP collects risk data from users to use it in the implementation of a security approach 
and to update network flow tables. The ISP controller assigns a high priority value if a 
flow is assumed to be trustworthy. If the authenticity of the flow is in question, the ISP 
controller assigns a low priority to the flow and manage it through the path assigned 
to malicious flow. This reduces the effects of the DoS on the network performance by 
adjusting the load. Unfortunately, it does not address the overloading of the controller 
and the flooding of the flow tables within the switches. 

The available schemes cannot reduce the load of the controller, the round trip time, the 
switch-to-controller bandwidth, the average processing time, and the network bandwidth 
usage while detecting the malicious nodes. Table 1 summarises the research gaps in 
SD-CRN. 


Table 1. Analysis of the gaps in the literature 


Objective: Minimizing the effects of the following metrics 
Approach Control- Control Flo Network Average Roun Signal 


ler plane w band- pro- d trip strengt 
work- band- table width cessing time h 
load width us- time 
age 
SDN- v v v v v v v 
Guard [8] 
Flow v x x x x x x 
Ranger 
Invalid 
source 
specified. 
IP filter- v v v v x x v 
ing ap- 
proach [6] 
Jamming v v v v v v v 
attack 
defend- 
er[1] 
Self- x x x v v y v 
manage- 
ment 


scheme [7] 
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Regarding security requirements in CRN’s, the work in [9] stated that the security 
requirements such as availability, integrity, identification, authentication, confidential- 
ity are essential in CRNs. Availability refers to the ability of primary users (PU) and 
secondary users (SU) to access the spectrum timeously. 

A number of methods for detecting malicious activity using Openflow have been 
investigated. These methods vary from local network detection of infected hosts by com- 
paring flows [10] to deterministic sampling using Openflow to inspect certain classes of 
traffic [11]. With available features in Openflow version 1.0, we explored the possibili- 
ties of using Openflow to detect the DoS attacks. An ideal DoS solution may consist of 
the following: the initial detection, sampling techniques, and blocking behaviour. 

In [12], the focus was on mitigating the DoS attack on flow tables which result in the 
degradation of the network switches. In order to address this issue, a path randomization 
technique and flow aggregation algorithm was proposed. The system performance was 
evaluated in a simulation environment that showed some positive results. 


3 Methodology 


DoS is the most common and unavoidable threats to SDN security and all types of 
networks. The DoS overloads the network and servers by overwhelming them with 
streams of traffic while starving legitimate users of valuable service [13].In this study, 
we investigated the best algorithms designed to detect and address the DoS. This 
Section, generates statistical data through simulations to meet the objectives of this study. 
Table 2 depicts the simulation environment and Table 3 presents the parameters used. 


Table 2. Simulation environment 


Computer HP L425.SCMSDOM.LOCAL 


RAM | 8,00 GB 
CPU "intel®Pentium(D) CPU 2037 @3.19 GHz 


OS (operating system) Microsoft windows 


Table 3. Parameters and tools 


1 Parameters 2 Tools 

3 Network Simulator 4 Matlab 

6 Controller 6 Floodlight 1.2 

7 Switch Software 8 OpenFlow V 1.3 
9 IDS 10 Snort 2.0.6 

11 Simulation Area 12 150m * 150m 


An SDN-Guard is an SDN application that is plugged into an SDN controller and 
which uses the network traffic ID to analyse the flow and raise an alarm when a malicious 
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traffic is detected. Given the alerts and the current state of the network, appropriate 
decisions designed to minimize the effects of DoS are made for each flow. It consists of 
the three following modules (Fig. 1): 


SDN-Guard 


an n — ae 


—) 


Packet-out J T Packet-in 
message message 


SDN controller 
Packet-out Packet-in 
message message 
SDN network 


Fig. 1. SDN-Guard layout 


The flow management module selects the routing path for each flow and determines 
the firm timeout of the TCAM entries informed by the risk of flow, to mitigate the effects 
of the DoS [14]. 

Rule based aggregation module which aggregates malicious traffic inputs to 
minimize the number of inputs used in TCAM switches [14]. 

Monitoring module collects multiple flow, switch and link statistics (e.g. flow, switch 
TCAM and link bandwidth usages) so that other modules can use them [14]. 

SDN-Guard communicates with an IDS which analyses packet-in messages and 
alerts SDN-Guard of the likelihood of flow threats. An IDS can be replaced by a system 
capable of evaluating accurately the risk of flows like the one used in [15]. 

To address the DoS on the SD-CRN, the proposed scheme consists of the following: 


Threat-Based Routing: To address the effects of DoS on bandwidth usage and queuing 
delays, SDN-Guard reroutes malicious traffic to the least-used links based on bandwidth 
requirements and switch ternary content addressable memory (TCAMs). Due to the 
statistical data collected by the monitoring module, the flow management module has 
access to the values of these two parameters. A generated path may ensure minimal 
impact of attack and may not be a shortest path. Malicious traffic must reach the desti- 
nation where it can theoretically be further analysed by IDS or by a prevention system 
(which is critical in case of false positive malicious flows). We do not drop malicious 
traffic to ensure that false positive malicious flows, with higher delays, can reach their 
destination. The non-malicious flows are routed through the shortest paths to ensure 
minimum delays [14]. 


Timeout Management: Depending on the probability of threat, the flow management 
module set the timeout to each flow. The switch communicates with the controller when 
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the hard timeout expires. The controller has a shorter hard timeout which increases 
traffic. This does not only increase the bandwidth usage of the switch-to-controller, but 
it overloads the controller. If the flow is malicious, the SDN-Guard sets high timeout to 
the flow. The idea is to ensure that the flows do not trigger higher controller to the switch 
traffic [14]. 


Malicious Flow Rule Aggregation: Malicious flows are assigned longer hard timeout. 
These flows are retained for a longer duration. These may overload entries in the flow 
tables as the number of entries increase in the flow tables. Flow aggregation is considered 
as a solution to the challenge where the aggregation module aggregates malicious flows 
in a given switch on the bases of the same source and destination [14]. 

When a new flows are received by a switch, which cannot be associated with any 
rule, control is passed to the controller for an appropriate forwarding rule. The packet-in 
messages are sent to the IDS to analyse their threats. The threat probability is used for 
routing decision making and setting timeouts for entries in switches’ TCAMs. Two cases 
can be identified: 


Table 4. Flow management decisions 


Flow type Threat probability Timeout Path Rule aggregation 
Legitimate Low Default Shortest Optional 
Malicious High High Least-utilized links Mandatory 


The Placement of IDS and Traffic Management. 
There are two IDS deployment options: 


e Under the first option, multiple IDS can be deployed to one switch. Each IDS then 
analyses the traffic passing through its associated switch. 
e In the second option, a single IDS is deployed which analyse all the traffic. 


The following are proposed as possible solutions: 


(1) optimal IDS placement and traffic mirroring 
(2) switch-to-IDS traffic sampling 


The two possible solutions are discussed in detail in the sequel: 


Optimal IDS Placement and Traffic Mirroring: An optimal location of IDS deter- 
mines switches which should mirror the flows to minimize the mirrored traffic and the 
bandwidth required (by minimizing the number of links used by mirrored traffic). The 
Integer Linear Program (ILP) can be used to model the placement problem of IDS [4]. 


Let G = (N, L) represent the network where N is the set of switches and L is the set 
of links connecting to the switches. 
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We define prz as the cost of the shortest path from switch n € N, which corrresponds 
to the number of hops between the two switches. 

Let i € J denote a flow in transit in a network. The throughput of the flow i is denoted 
by fi . 

Define rin € {0, 1} as a boolean variable which equals to 1 if the flow i € Z passes 
through the switch n € N. 

The controller has knowledge of the defined variables, a flow i cannot be forwarded 
from a switch n if it doesn’t pass through the switch, hence we have 


Xin L Fin VN EN Viel. (1) 


We also define the decision variable xj, € {0, 1} as a boolean variable that indicates 
whether the flow i is mirrored from the switch n to the IDS. Each flow 7 is mirrored only 
once to the IDS. The following constraint may be met: 


en Xin = 1 Wnel. (2) 


The cost of mirroring the flows to an IDS 7 € N corresponds to the amount of mirrored 
traffic forwarded from the switches to the IDS. This can be calculated as: 


Cu = Doicr Donen Pafi YEN. (3) 


Finally, the objective is to find the switch 7 € N that minimizes the mirriring cost: 
minCy (4) 


neN 


The proposed ILP provides the location of the IDS (ie, n) and switches which forward 
the traffic to the IDS (using the decision variable xj). Figure 2 depict the experimental 
environment. 


Fig. 2. Experimental setup 
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Figure 2 shows a topology with eight Openflow switches and six hosts. The controller 
CO is connected to switch S5, and data is forwarded through switch S5. The hosts h1, 
h2, and h3 are malicious nodes in which the server h6 is a DoS target [4]. 

The experiment begins when normal traffic consisting of TCP flows are sent by all 
source nodes. In this case, the DoS transmission lasted for 10 min in which the server 
was flooded with TCP streams. To launch the DoS, TCP traffic was sent using the ping 
command to generate a streams of traffic designed to flood the target, the server with 
TCP-SYN, ICMP, and UDP packets from different sources with different IP source 
addresses. This traffic mimics a DoS originating from different sources [4]. 

The efficiency of the IDS was evaluated using sampled traffic. The performance was 
evaluated using packet-processing time when sampling rates were differed. Three types 
of DoS were generated namely, TCP-SYN, UDP, and ICMP flooding for 30 min. A 
number of experiments where sampling rates were differed were conducted. A sampling 
rate of p% depicts that p% of the mirrored traffic is dropped randomly at the switches 
thereafter it is forwarded to the IDS. The efficiency was determined by the percentage 
of detected attacks, the number of attacks which were detected successfully in sampled 
traffic divided by the total number of attacks detected [4]. 

The second scheme we used is the Jamming Attack Defender. 

In jamming attack, the (jammer) attacker maliciously sends or receives data to inter- 
fere with genuine users in a session. This situation in turn creates a DoS condition. The 
jammer may continuously send data packets so that a genuine user may not sense the 
channel as idle. On the other hand, the legitimate users receive junk packets sent contin- 
uously by the jammer. The jammer may overwhelm radio transmission and corrupt the 
data packets that legitimate users receive. In the worst case, the attacker may jam the 
dedicated channel used to communicate sensing information among CRs. This attack is 
called as common control data attack. In addition, if the attacker listens on the control 
data, the attacker overhears which new channel the CRN is switching to and jams it. 
These jamming attacks can be done at MAC and physical layers [5]. 

The attackers have different network attack strategies. The detection of security 
threats is therefore possible. The attackers may attack both PUs and SUs while in general, 
SUs are targeted. A number of detection techniques have been introduced in the detection 
and mitigation of attacks in CRN. The detection technique involves two phases which 
are the learning phase and the detection phase [5]. 

In this work, the physical layer attack namely the jamming attack is considered. 
Jamming attack is detected through the observation of signal strength (SS) and packet 
delivery ratio (PDR). The collection of information regarding SS and PDR facilitates 
the detection phase of the IDS to effectively detect the unknown attacks in CRNs. In 
the learning phase, the normal network behaviour or its performance is observed. In 
detection phase, the abnormal changes are detected using the non-parametric cumulative 
sum control chart (cusum) algorithm [5]. 

During the detection phase, the IDS detects the point of change in CRN operation. 
In case of a malicious user, the SU is jammed, the SS is measured at the SU is examined. 
If the SS is high, then its PDR is dropped. The PDR is the ratio of the number of packets 
received by user to the number of packets sent [3, 16]. To detect the change in the PDR of 
SU targeted by jamming attacker, the cusum algorithm based on change point detection 
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algorithm is employed. It is assumed under normal conditions that the mean value of the 
random sequence is negative, it becomes positive if any change is detected. 
G,, sequence is obtained as: 


Gr =P — Fn (5) 


Where £ is the average of the minimum (negative peak) values of F, throughout the 
profiling period. The increase in the mean G,, value can be lower bounded by h = (2) 
during a jamming attack. Then, the cusum sequence Y, is expressed as in Eq. (7) where: 


gq’ = q if q > 0; otherwise gt = 0 (6) 
A large value of Y„ implies an anomaly. The detection threshold 8 is computed as 
follows 


Yn = (Yn-1 + Ga); Yo =0 (7) 


9 = (m — B)tdes (8) 


where tg; denotes the desired detection time. It is set to a small value for earliest detection 
of an anomaly in the CRN. In detection phase, the IDS computes Y,, over a certain period. 
The value of Yn remains close to zero while the CRN is in normal operation condition. 
The value of Y, starts to increase in the presence of a jamming attack. If Yn goes above the 
pre-determined value of 9, and the SS at the SU is high, an alert is generated indicating 
a possibility of jamming attack [3, 16]. Figure 3 depict the operations of IDS. 


Step 1 
‘Fn’ sequence is obtained by fraction of failed 
session in the previous normal condition 


Step2 
(IDS operates equal time-rounds An 
where r=1, 2,3...) 


Step3 
Calculate mean of ‘Fn’ represented by ‘m’ 
(During the profiling period that means no or low 


jam scenario) 


Step4 
‘m’ is continuously monitored by IDS fora 
significant change in the value of ‘m’. In case of 
any changes in ‘m’ it is considered as jamming 
attack 


Step5 
“m’ remains close to one until an anomaly 
occurs 


Fig. 3. Flow chart of IDS operation 
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The IDS is implemented in MATLAB environment. The presence of a licenced users 
or SU is recognised using the power spectral density in a particular channel. We assume 
that IDS operates at equal time bounds (An where n = 1, 2, 3...). Then the operation 
described in Fig. 3 is performed by the SUs or the cognitive users. 


4 Results 


In this Section, we present and analyse the generated results of the study which are 
represented graphically. We considered two schemes in this research, SDN-Guard and the 
jamming attack defender. The set of results of the two schemes are therefore presented. 

Figure 4 depict the simulation area. It shows the 10 nodes which are moving within 
the 150 m * 150 m grid area. In addition, the network also consists of a base station and 
four attacking nodes. The malicious nodes launch the DoS attack in the network. 


Fig. 4. Simulation area 


To evaluate the two schemes and generate comparative results, we considered the 
following metrics: Average round trip time, Average packet processing time, and Power 
Spectral density. 

Figure 5 presents the average RTT values of the SDN-Guard and the Jamming Attack 
Defender. The RTT for Jamming Attack Defender is higher than the RTT of the SDN- 
Guard caused by longer time-outs associated with malicious traffic. This prevent the 
switches from requesting new flow rules. The requests are also not sent to the controller 
for flow entry requests. We can see that SDN-Guard is the better scheme because it has 
lower RTTs. 

A Power Spectral Density (PSD) is the measure of signal’s power content versus 
frequency. A PSD characterize broadband random signals. The magnitude of the PSD 
is normalized by the spectral resolution employed to digitize the signal. 
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Fig. 5. Average Round-Trip-Time (RTT) for SDN-Guard and Jamming Attack Defender 


Figures 6 and 7 present the power density spectrum of one PU available in the slot. 
The other four user slots are free which means the spectrum is available for SU. 

Figure 6 shows the power spectral density of the Jamming Attack Defender. At 
frequency 0, the magnitude is at 17dB. As the frequency increases to 5 Hz, the magnitude 
increases to 40dB and it starts decreasing thereafter. The magnitude then remains constant 
at 15dB as the frequency increases from 25 Hz to 30 Hz. 


|i i Wia N 


I E W y m MW a i a AA 


Fig. 6. Power Spectral density of Jamming Attack Architecture 


Figure 7 presents the PSD of the SDN-Guard architecture. At frequency 0, the mag- 
nitude is at 17 dB. As the frequency increases, the magnitude starts decreasing. This 
means that the Jamming Attack Defender has a better PSD because it remains constant 
while the PSD of the SDN-Guard decreases. Therefore, the Jamming Attack Defender 
has better signal strength than the SDN-Guard. 

Sampling reduces the IDS workload which reduces the packet-processing time of the 
IDS. It relates to amount of time an IDS takes to analyse a packet. It consists of a number 
of security rules and the IDS workload. Figure 8 depicts average packet processing 
time for the SDN-Guard in which sampling rates were differed. When sampling is not 
considered, the average packet-processing time is about 14 s. The sampling rate later 
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Fig. 7. Power Spectral density of SDN-Guard Architecture 


decreased to 10.5 s and thereafter gradually as the sampling rate increases to 80%. Which 
means that as we increased the size of the sample, the processing time decreased which 
shows that the SDN-Guard can process large number of packets at a faster rate. 


‘Average packet-processing time for SON Guard 


rage packeb processing ime (s) 


Fig. 8. Average packet processing time for SDN-Guard 


Figure 9 shows the average packet processing time of the Jamming Attack Defender 
where sampling rates were differed. When sampling is not considered, the average 
packet-processing time is about 23 s. The sampling rate later decreased to 19.5 s as the 
sampling rate was increased to 80%. We observed that as we increased the number of 
packets the processing time decreased. 

Given the results in Figs. 8 and 9, we can conclude that the sampling rate of 80% 
reduces the mirrored traffic while the packet-processing time reduces to 50% with IDS 
accuracy remaining at 100%. We can also conclude that the SDN-Guard reduces the 
packet processing time efficiently as compared to the Jamming Attack Defender. Which 
means that the SDN-Guard is superior to the Jamming Attack Defender. 
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Fig. 9. Average packet processing time for Jamming Attack Defender 


5 Conclusion 


The study compared SDN-Guard to the Jamming Attack Defender. The objective was to 
evaluate the performance of the two schemes in order to have an in-depth understating 
of the two schemes with a view of designing a new scheme best on their best performing 
attributes of the two schemes. SDN-Guard and Jamming Attack Defender rely on IDS 
alarms in analysing the network traffic to efficiently protect the SD-CRN. 

We also investigated the use of sampling to reduce mirrored traffic. We observed that 
the SDN-Guard is efficient in reducing the amount of mirrored traffic compared to the 
Jamming Attack Defender. We also observed that in terms of the source-to-destination 
RTT, the SDN-Guard takes less time compared to the Jamming Attack. 

Lastly, we observed that the Jamming Attack Defender outperforms the Jamming 
Attack Defender in terms of PSD. 

The main objective of the study was to compare the SDN-Guard and the Jamming 
Attack Defender to find out which scheme detects and mitigates the DoS in SD-CRN 
efficiently with a view of improving the two schemes. We considered the average round 
trip time, average packet processing time, and the Power Spectral Density. The results 
show that the SND-Guard outperforms the Jamming Attack Defender. 
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Abstract. The study evaluates two Distributed Denial of Service (DDoS) attacks 
detection schemes, the Cloud based and the Netplumber. The schemes are evalu- 
ated in terms of CPU and memory utilization. The main objective is to identify the 
better algorithm with a view of enhancing the schemes. The related work on detec- 
tion algorithms was reviewed. The schemes are evaluated in a Software defined 
and Cognitive Radio (SD-CRN) Network environment. An early detection and 
lightweight detection schemes is desirable. 

The desirable algorithm detects the attack within the least number of packets. 
It also consumes less memory and the least amount of CPU time on average. The 
study uses a statistical approach with the covariance matrix to evaluate the effect 
of the attack on the SD-CRN controller. SD-CRN introduces a programmable, 
dynamic, adaptable, manageable and cost-effective network architecture. 

DDoS attacks deplete the network bandwidth or exhausts the victim’s 
resources. Researchers have proposed a number of defence mechanisms (such 
as attack prevention, trackback, reaction, detection, and characterization) in an 
endeavour to address the effects of the DDoS attacks. Unfortunately, the incidents 
of the attacks are on the rise. However, the results of this evaluation show that the 
Netplumber is the promising algorithm. 


Keywords: Detection - Distributed Denial of Service - Performance evaluation 


1 Introduction 


Technological advances in a number of fields have created a cyber-world in which 
things are done electronically with speed. The advances are increasing complexity and 
information overload while drastically reducing decision making durations. 

Software Defined Networking (SD-CRN) introduces a programmable, dynamic, 
adaptable, well-managed and cost-effective network architecture. Network adminis- 
trators have a global view of the network topology and can manage the behavior of 
the network through abstraction of higher-level functionality by separating the control 
plane from the data plane. This emerging architecture is dynamic and is able to deal with 
dynamic applications. Software Defined Networking (SDN) employs an open standard- 
based and vendor-neutral approach using the Open Flow protocol for the realization of 
the SD-CRN architecture. Its fundamental feature is to manage the flow of traffic on the 
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network through defining flow table entries. Network administrators can manage easily 
an SDN network [1]. 

SDN attempt to build a computer network by separating it into two systems. The 
first system is the control plane, which provide performance and fault management, and 
network flow and management of network topology. Controller can process connection 
request, link management between devices. The second system is a data plane, where 
switches may rely on the controller to make decisions or can make decisions on their 
own. The controller can determine connection a path, if the switch request for one from 
the controller. The controller could do so by using the control protocol. The controller 
decides whether the flow could be granted [1]. 

CRN is an adaptive, intelligent radio and network technology that can detect avail- 
able channels in a wireless spectrum and change transmission parameters to adapt to 
the spectrum environment. It also enables a number of communication sessions to run 
concurrently. It’s also an intelligent, reconfigurable and dynamic radio technology [2]. 


2 Related Work 


Several studies have been done with the aim of determining the performance of SDN 
controllers. The work done in [3], provides a comparative study of the SDN controllers, 
considered a limited number of controllers such as the NOX-MT, Beacon and Maestro. 
It focused on the performance of controllers. However, these controllers have since been 
replaced by other controllers such as the POX, Ryu, Floodlight and OpenDaylight which 
are the most used controllers in the network environment. 

The study conducted provided a set of requirements that are the basis of the com- 
parison between the controllers: TLS Support, virtualization, open source, interfaces, 
GUI, RESTful API, productivity, documentation, modularity, platform support, age, 
OpenFlow support, and OpenStack Neutron support. The comparison was done using a 
Multi Criteria Decision Making (MCDM) method named the Analytic Hierarchy Pro- 
cess (AHP) adapted by a monotonic interpolation/extrapolation mechanism which maps 
the values of the properties to a value in a pre-defined scale. By using the adapted AHP, 
five controllers (POX, Ryu, Trema, Floodlight, and OpenDaylight) have been compared, 
and “Ryu” was observed as to be the best controller based on metrics used. However, the 
assumed scale is subjective and changing the scale would result in a different conclusion. 
In this study, we compare four schemes using only one controller [4]. 

In [4], the malicious nodes are detected through the unique identifier of nodes. The 
algorithm is effective in detecting malicious nodes however; it does not address the 
effects of the attacks. In [5], the effects of the distributed denial of service attack are 
examined and proposed some detection techniques that can be implemented in an effort 
to prevent the DDoS attack. 


3 Simulation Environment 


This study employed a statistical approach which was used to collect data using math- 
ematical and statistical equations or computational simulations such as discrete event 
and Matlab simulators. This study depends on network simulations to collect data. 
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This approach refers to the systematic empirical investigation of social phenomena 
using statistical, mathematical, or computational techniques. This approach is useful 
when a study involves the large scale networks such as WiMAX. 

This study uses a cluster sampling to sample the nodes of the network. In cluster 
sampling, the population is divided into groups usually, geographically. These groups 
are called clusters. The clusters are randomly selected, and each element in the selected 
cluster is used. In this study, the population of 150 nodes was divided into four clusters. 
The four scenarios had the following number of nodes: 30, 50, 80,150, for each scenario 
30% to 90% of attacking nodes were considered. The packets were sent to the controller 
randomly using simple random sampling (SRS). 


4 Results and Analysis 


4.1 The Effect of DDoS Attack on the Controller 


The flooding of the controller by the DDoS is one scenario which can directly affect the 
controller with a stream of packets. Packets that do not have a match in the flow table were 
sent to the controller for processing. Most DDoS attacks use spoofed source address, 
which translates into new incoming packets at the switch. When the number of new 
incoming packets exhaust the bandwidth of the channel and the processing power con- 
troller, the attack overwhelms the controller. The DDoS uses a number of compromised 
distributed streaming nodes designed to overwhelm the target, the controller. 


4.2 Controller Usage Without the DDoS Attack 


During this experiments, we monitored the bandwidth usage, the consumption of the 
CPU time of the controller, the response rate and also the memory utilization of the 
controller. The study also evaluated the usage of the resources on the controller under 
normal conditions when there is no attack. To ensure that the results are not distorted, 
all the processes on the machine were disabled, in order to effectively monitor the usage 
resources of the controller. The bandwidth on the controller was set to 1000 Mbps, the 
memory of the controller was set to 1.7 GB, and the CPU was set to 1.80 GHz. The 
study also evaluated the response rate of the controller. The CPU and bandwidth results 
are show in Figs. | and 2 respectively. 

Attacking nodes generate large amount of traffic that are forwarded to the controller. 
The streams of generated traffic degrade the performance of the controller to the extent 
that it may not be able to provide service to legitimate nodes. When there were 100 
nodes in the network, the traffic rate was observed to be 548.88 Mbps. This is a large 
traffic that cannot be handled by one controller. Increasing the number of nodes is likely 
to degrades the controller’s response time. It also consumes a lot of CPU time while 
few nodes require less CPU processing time. It also consumes a lot of memory when 
the number of nodes is increased. When the number of nodes was set to 80, 36% of 
the memory was utilized while for 100 nodes, 40% of the memory was used as shown 
in Fig. 1. If the number of nodes were kept increasing, the controller is likely to crush 
when 100% of the CPU time is utilized. This may also cause some bottlenecks in the 
connection. 
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Fig. 1. CPU and Memory usage with 0% of attacking nodes 
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Fig. 2. Bandwidth utilization in Mbps and response rate of the controller in p/sec with 0% of 
attacking nodes results 
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4.3 Comparison of DDoS Attack Detection Algorithms 


In Fig. 3, we compared the performance of cloud-based and NetPlumber detection algo- 
rithms to find out which of the two schemes detects earlier the DDoS attack. Cloud-based 
scheme detects the DDoS attack within the first 650 packets received by the controller 
in the network with 20 nodes. The number of received packets decreased for all the 
detection schemes as the number of nodes in the network increased as shown in Fig. 3. 


Comparison of detection algorithms(30%) 
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Fig. 3. Comparison of two DDoS attack detection algorithms with 30% of the attacking node 


Figure 3 also presents the performance of the algorithms as the number of nodes were 
increased in the network. This increased the amount of traffic in the network. Suppose 
that if a specific node can produce 100 packets per millisecond, when the number of 
nodes in the network is 100. Therefore, if there are 40 malicious nodes in the network, 
700 packets per millisecond would be generated. In this case, the NetPlumber detection 
scheme outperformed the cloud-based algorithm. It detected the DDoS attack within the 
first 590 packets. 

In Fig. 4, we present the results of the scenario populated with 60% of malicious 
nodes. The results show a change in the detection rate. 

The results in Fig. 4 show that NetPlumber and cloud based schemes were still 
performing better compared to a scenario with 30% attacking nodes. They were able 
to detect the attack within the least number of packets received compared to when 
the scenario with 30% attacking nodes. However, the NetPlumber detection scheme 
performed better than the cloud-based algorithm. The experiment was run three times 
to verify the results. We observed that as the number of nodes in the network increased, 
the detection rate improved. The NetPlumber detection algorithm managed to detect the 
attack within the first 435 received packets in a network scenario with 100 nodes and 
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Fig. 4. Comparison of two DDoS attack detection algorithms with 60% of the attacking nodes 


60 malicious nodes, which produced 2000 stream of packets per millisecond worth of 
traffic. 

Figure 5 depicts the results of the third scenario. The NetPlumber detection algorithm 
was observed as the better performing algorithm. 
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Fig. 5. Comparison of two DDoS attack detection algorithms with 90% of the attacking nodes 
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A fast detecting scheme that is also lightweight in terms of CPU and memory usage 
is desirable. The cloud-based at some point performed better than NetPlumber detection 
algorithm, however it consumed a higher percentage of the CPU and memory of the 
controller as compared to the NetPlumber algorithm. The NetPlumber consumed less 
memory and CPU time. However, it takes less time and fewer packets to detect the attack 
as compared to cloud-based algorithm. Figure 6 depicts the memory utilization results. 
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Fig. 6. Memory usage for experiments 


The results presented in Fig. 6 shows that NetPlumber detection algorithm is the 
best performing scheme in terms of the CPU consumption. It consumed 26% of the 
memory while cloud-based consumed 30% on average. The cloud-based is also poor in 
the detection of the DoS attack. Figure 7 presents the CPU utilization results. 

Figure 7 presents the results of the CPU usage of the two algorithms. The NetPlumber 
detection algorithm achieved the better performance as compared to the cloud based 
algorithm. It consumed the least amount of CPU time. It consumed 47% on average 
the controller’s CPU time. Cloud based detection algorithm is the worst performing 


scheme, which consumed the most processing power of the controller, which is 48.2% 
on average. 


70 V. Rikhotso and M. Velempini 


CPU Usage 


50 

40 

30 

20 

10 

0 
20 40 60 30 100 


Number of nodes 


CPU Usage()% 


mcloud-based m Netplumber 


Fig. 7. CPU usage for experiments 


5 Conclusion 


In our study we investigated two algorithms designed to detect the DDoS attack. The 
results show that the Netplumber is a lightweight and early detection algorithm which 
can detect high traffic rate of DDoS attack. We also observed that the controller can 
withstand the attack for few seconds when the number of malicious packets is less than 
300Mbps. Network scenarios with many controllers may be considered in the future. 
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Abstract. Cognitive Radio Networks (CRN) was proposed to improve the utiliza- 
tion of wireless spectrum resources. However, it is susceptible to various security 
attacks like any other wireless network. CRN technology allows secondary users 
(SU) to opportunistically utilize the idle spectrum while avoiding interfering with 
primary users (PU). Spectrum sensing is a key characteristic of this technology and 
it is the main enabling functionality in facilitating the utilization of free channels 
by PUs and SUs. Unfortunately, malicious users can interfere with either the PUs 
or SUs. Spectrum Sensing Data Falsification (SSDF) attack is one of the major 
attacks in CRN which result in incorrect wrong spectrum access decisions being 
made which result in interference. There is therefore a need to investigate this 
attack and design robust SSDF mitigation schemes. In this study, we investigate 
different approaches to prevent or mitigate SSDF attack and evaluate comparative 
results of two best mitigation schemes in literature and make recommendations 
for future research. Three metrics were used for evaluation. These are: missed 
detection, success and false alarm probabilities which were used to evaluate the 
performance of the schemes. It is shown though MATLAB simulation results 
that extreme studentized cooperative consensus spectrum sensing performs better 
compared to the reputation-based and majority ruling scheme. 


Keywords: Spectrum Sensing Data Falsification - Cognitive Radio Ad hoc 
Network 


1 Introduction 


The advancement in wireless technology resulted in spectrum congestion due to ever 
increasing demand for the wireless spectrum [1]. Joseph Mitola proposed cognitive radio 
network (CRN) as a solution to the problem of spectrum congestions [2]. This is achieved 
by allowing Unlicensed users/secondary users (SUs) to opportunistically utilize the 
licensed spectrum band. The Federal Communications Commission (FCC) in 2008 [3] 
followed by the office of communication in 2010 [4] made a decision to avail the licensed 
spectrum to unlicensed users. The SUs scan the radio environment to check for the 
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availability of the spectrum bands and utilize them opportunistically. They are expected 
to vacate them when the signals of the Primary User (PU) are detected. SUs cooperate in 
using the idle spectrum. Therefore, security is a critical aspect of this technology. Hence, 
in this paper we focus on Spectrum Sensing Data Falsification (SSDF) also known as the 
byzantine attack. The attack impacts negatively on the success of CRN since it interferes 
with spectrum sensing phase which is significant for spectrum access decision making. 
This attack shares false spectrum occupancy data with its neighbours which results in 
incorrect spectrum access decisions being made. 

The study investigated different types of SSDF attacks, which can be categorized 
according to their signatures [5]. Greedy SSDF attack is an attacker which reports that a 
spectrum is occupied by PU yet it’s not. This result in an attacker monopolizing a specific 
band by deceiving other legitimate nodes in assuming that the spectrum is occupied. 
Malicious SSDF attack is where the attacker’s main objective is to cause disruption on 
the network. A malicious user may send the wrong sensing results to the Fusion Centre 
(FC) or other nodes. This causes other nodes to assume that there exists a PU which 
is active in the spectrum when it is not, or it may cause the other nodes to assume that 
there is no PU occupying the spectrum when the spectrum is not idle. This causes the 
legitimate users to vacate the spectrum band in the first case and causes interference to 
the PU in the second case. 

Furthermore, the paper compered two best schemes in literature designed to miti- 
gate the SSDF attack. The evaluated schemes are the Reputation-based and Majority 
ruling scheme [6] and Extreme Studentized Cooperative Consensus Spectrum Sensing 
(ESCCSS) scheme [7]. The schemes utilize energy detection, which means that the 
received energy is a proportion of a specific part of the spectrum. The detector compares 
the computed energy to a threshold value to decide when the channel is free [8]. 

The rest of this paper is organized as follows: The related work is presented in 
Section 2. In Section 3, we describe the schemes to be analysed. We present the method- 
ology in Section 4. The comparative results are presented in Section 5. Finally, we 
conclude and recommend future research direction in Section 6. 


2 Related Work 


There are a number of studies which sought to address SSDF attack in literature and this 
section reviews some related works. 

The authors in [9] developed a scheme called the Conjugate Prior-Based Detection 
scheme (CoPD) to mitigate the SSDF attacks in a cognitive radio environment. The 
scheme isolates false sensing reports generated by Malicious Users (MUs), so that SUs 
can correctly detect the activities of PUs. The scheme handles the sensing reports from 
SUs as random variables, then considers the probability density of the random variables 
through a method known as the Conjugate-Prior. The CoPD can also isolate false sensing 
reports received from any misbehaving SU. When a sensing report is considered to be 
false, the sensing report is not included in the final decision making. Therefore, when 
SUs are clustered, the scheme was not able to achieve the best performance in mitigating 
the SSDF attacks on the spectrum. 
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The authors in [10] proposed a Detection Bio-inspired consensus Cooperative sens- 
ing scheme. The scheme counters SSDF attacks in a distributed manner. When there is 
a lack of central entity in an infrastructure-less CRN, users sense the spectrum band and 
report their local energy data to their neighbors. From the reports gathered from all the 
users, each user then uses a selection-criteria to isolate reports that are likely to be from 
attackers. SUs exclude MUs by calculating the mean value of energy. Each node then 
compares its value with the ones from the neighboring nodes. The node with the most 
deviation is then regarded as an attacker and the remaining nodes’ reports are considered 
in final decision making. This scheme is based on the assumption that two neighboring 
nodes can exchange consistently trustworthy data hence, the topology of the network 
stays unchanged during a given period however, in reality, Cognitive Radio Ad-Hoc 
Network (CRAHN) topology is dynamic and characterized with frequent topological 
changes. 

In [11], authors proposed a Trust-aware consensus Distributed Cooperative Spectrum 
Sensing (DCSS) scheme to counteract SSDF attacks. The scheme requires every node 
to update the trust score of its neighboring nodes. The score serves as an indication of 
how much a node can be trusted and whether its local decision can be included in the 
global decision. Thus, they are able to detect the untrustworthiness of a neighbor and 
isolate its reports from the aggregation of reports in the next update, which helps in 
achieving better sensing results. This can minimize the number of attacks on a CRAHN 
environment. The results of the simulation show that the scheme performs well only 
with one attacker, which means that if attackers are more than one, the performance is 
degraded. 


3 Evaluated Schemes 


This Section presents the details of the reputation-based majority ruling and ESCCSS 
schemes. The two schemes were selected primarily because according to the literature, 
they are best performing schemes. 


Reputation Based and Majority Ruling Scheme 

Users sense the spectrum, share their observations and isolate MUs which are known 
as outliers using the reputation-based system to achieve a well-informed decision. After 
outliers have been excluded, the Threshold Value (TV) of 60% is used, where if a given 
SU behaviour exceeds it, then it is classified as an outlier which result in its reports being 
excluded from the final decision-making process. 

The scheme penalizes outliers by incrementing their current reputation value (CRV) 
so that they reach the TV and risk being excluded from the CRAHN. SUs with a good rep- 
utation, will have its CRV unchanged. If malicious SUs stops misbehaving, its reputation 
can be restored by decrementing it by 1. This is shown in Algorithm 1. 
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Algorithm 1 


Step 1 : if s;(t) < y then 

Step 2 f d,(t) = 0 

Step 3 ; else 

Step 4 : dit) = 1 

Step 5 ; if si(t) € outlier then 
Step 6 f if di(t) == gm(t) then 
Step 7 : Tmi = Tmi +01 

Step 8 ; else 

Step 9 ; if d;(t) = g(t) then 
Step 12 : Tmi = Tmi 1 


Where, m is the device-id of the assessor device. 

i is the device-id of the neighbouring device. 

d;(t) is the status of the primary user. 

si(t) is the value of the report from the neighbouring device i. 
8m(t) is the final decision at device m. 

Tmi is the current reputation of device i at device m 

TV is the threshold value 


ESCCSS Scheme 

The ESCCSS scheme addresses the impact that might be caused by the greedy attacker 
(always yes) and the malicious attacker (always no) by isolating altered data from the 
final decision of the sensing user which is interested in spectrum occupancy. It uses 
consensus algorithm which enables users to share and arrive at a global decision without 
the use of a base station or fusion centre. 

Each cognitive radio computes Xi(n)as the average of all the observations at each 
time step j after data has been shared and malicious data have been isolated and consensus 
algorithm has been executed. The final decision about the spectrum occupancy is done 
using the following equation: 


Xin) = SY} Yj) (1) 


Where M is the maximum time step at which each SU observes and records energy 
value, nand i is the node index. The computed average is compared to TV in order to 
make a final decision. 


1; Xi(n) > B (2) 


Decision = f : 
0; otherwise 


If the average is greater than the threshold then the spectrum is said to be in use 
denoted by 1, otherwise the spectrum is said to be vacant and SUs can make use of the 
available spectrum. The scheme is described in Algorithm 2. 
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Algorithm 2 
Step 1 : Sort the received energy values Y1, ... YN of N SUs at time k in 
ascending order. Let this sorted value be denoted by X1,... XN 
Step 2 : Estimate the number of outliers/malicious users U 
Step 3 : Compute the mean % and s standard deviation of the received 
energy values Y1, ... YN 
Step 4 xi— xX 
P Compute Rj = maxi [n j= 1,2,..U 
s 
Step 5 ; After computing Rj, Put xi aside that has maximized 
|xi — x| 
Step 6 
Repeat step 1 to step 5 with estimated outliers been removed, up 
until j= U 
Step 7 : Declare isolated xi’s as suspicious data and they are excluded 


from participating when consensus algorithm is run. 


ESCCSS is activated after suspicious data is disregarded from the final decision 
making. Consensus algorithm is applied by the nodes so that they have the same global 
view of the network. Thereafter, the average of the consensus value is compared to TV 
to determine whether the spectrum is available or not. 


4 Simulation Model 


MATLAB simulation tool installed in Windows 10 operating system was used to simulate 
the two schemes. The network size was kept constant throughout simulations with 25 
nodes. We set the population size of MUs to the following scenarios: 10%, 15% and to 
25% of the total nodes in the network. The simulation parameters are listed in Table 1. 


Table 1. Simulation parameters. 


Parameter Settings 
Simulation time 200 s 
Environment CRAHN 

Sus 25 

Grid size 1000 m * 1000 m 


Propagation model 


Tworay ground 


Fusion time 


5S 


Mus 


10%, 15%, 25% 


Sensing type 


Energy detection 
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Table 1 presents simulation parameters which where considered in the simulation 
of the two mitigation schemes. Energy detection was the sensing type chosen by the 
authors because the simulated schemes where designed using the same sensing type. 
The simulated time was set to 200 s. 

For the purpose of this research, spectrum sensing is done cooperatively, which 
implies that SUs sense the spectrum band and then share their observations with neigh- 
boring nodes prior to making a final decision about whether the spectrum is occupied or 
not. Both schemes utilized cooperative spectrum sensing, and are also affected by noise 
uncertainty, fading and shadowing [12]. 


5 Results 


To evaluate the performance of the schemes effectively, we used different types of 
metrics. These are false alarm probability, success probability, and missed detection 
probability. The schemes were simulated in a CRAHN environment in a network with 
25 nodes. In each scenario, we considered different percentages of MUs which were: 
10%, 15% and 25% to have an in deep analysis of how the schemes perform under 
different network conditions. The missed detection Probability results are presented in 
Fig. 1. 
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Fig. 1. Missed detection probability in a network of 25 nodes. 


Figure 1 shows that in a network with 25 nodes were the reputation-based and 
majority ruling scheme was used, the missed detection probability is slightly higher 
compared to ESCCSS when there is 10% of MUs in the network. However, as the number 
of MUs increased in the network, the missed detection probability of the ESCCSS 
decreased while the reputation-based and majority ruling scheme increased. 
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Figure 2 depicts the success probability results. The success probability indicates 
the ratio of the scheme’s accuracy in sensing the SSDF attacks and MUs in a CRAHN 
and then mitigate the attacks by disregarding the falsified reports and use results non- 
malicious users. The results presented are from different network scenarios consisting 
of different number of nodes. 


Success probability in a network of 25 nodes 
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Fig. 2. Success probability in a network of 25 nodes. 


In the simulation results of a network containing 25 nodes, we observed that when we 
have a small percentage of MUs (10%) in the network or even a high percentage (25%), 
the reputation-based and majority ruling scheme’s performance was poor compared to 
ESCCSS. However, as the number of MUs increased, the success probability of the 
reputation-based and majority ruling scheme decreased, meaning that the scheme fails 
to detect accurately the SSDF attacks in CRAHN compared to ESCCSS. 

The false alarm probability results are depicted in Fig. 3. We observed that as the 
number of MUs increased, the probability of false alarm of reputation-based and majority 
ruling scheme increased which shows that the scheme was not able to handle even a small 
percentage of MUs in the network. 
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Fig. 3. False alarm probability in a network of 25 nodes 


6 Conclusion 


This work evaluated two types of SSDF attacks, which are the MU attack and the greedy 
SSDF attack. We presented comparative results of the two schemes designed to mitigate 
the SSDF attack. We compared the performance of the schemes with regard to the 
probability of missed detection, success probability and probability of false alarm. 

The simulation results showed that the ESCCSS scheme is a better performing 
scheme in mitigating the SSDF attacks in CRAHN. Furthermore research may be con- 
ducted to evaluate the efficiency of the ESCCSS scheme in a CRAHN environment 
with different number of nodes and different network conditions such as cooperative or 
non-cooperative nodes may be considered. 


7 Future Work 


There is a need to develop a scheme that detects MUs earlier than ESCSS. Hence, during 
the simulation it was observed that both schemes starts detecting MUs after 100 s of 
running the simulation. We propose the use of advanced machine learning techniques in 
addressing the effects of this attack. The scheme may be evaluated using both a testbed 
and simulation techniques. 
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Abstract. As one of the most popular IoT (Internet of Things) devices, 
smartphone stores sensitive personal information. As a result, authen- 
tication on smartphones attracts widespread attention in recent years. 
Sensor-based authentication methods have achieved excellent results due 
to their feasibility and high efficiency. However, the current work lacks 
comprehensive security verification, undetected potential vulnerabilities 
are likely to be leveraged to launch attacks on these authentication 
approaches. We propose a novel attack to evaluate the reliability and 
robustness of the existing authentication methods. The basic idea behind 
our strategy is that the system has its authentication error; we elabo- 
rately analyze the false-negative samples to summarize its vulnerable 
properties and leverage such vulnerabilities to design our attack. The 
experiment result proves the feasibility of our attack and also demon- 
strates the drawbacks of the existing approaches. In addition, we propose 
a corresponding protect approach to defend against this attack, of which 
the scheme has the self-learning ability to update according to the newly 
detected attacks. Compared with authentications using multiple sensors, 
we only adopt a single accelerometer to achieve an EER of 5.3%, showing 
the convenience and effectiveness of our system. 


Keywords: Gait authentication - Wearable sensors - Impersonation 
attack 


1 Introduction 


Biometric authentication combines computer and optical, acoustic, biosensor, 
and biostatistical principles using the human body’s inherent physiological char- 
acteristics (e.g., fingerprints, faces, and irises) and behavioral features (e.g., 
handwriting, voice, and gait) to identify individuals. It provides both conve- 
nience and security for mobile device users, leading to biometric authentication 
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being the most prevalent authentication method. With the development of IoT 
devices, there are more and more built-in sensors in smartphones, including many 
biometric sensors. Users can use smartphones to implement more authentication 
schemes, these methods can be authenticated without the user’s knowledge and 
added to the security systems to determine the legitimate users. One of the 
actual implementations is gait recognition, which has matured in recent years to 
become a low-cost and reliable method for authenticating users [1,2]. 

Although biometric-based authentication systems can balance security and 
usability, they also face many security threats. Playback attacks and imitation 
attacks are more efficient and less disruptive to the system in terms of complex- 
ity and efficiency of implementation [3]. They affect the authentication process 
and difficult for the system to detect. In contrast, in the scenario of an imitation 
attack, the attacker has the same status as the victim when facing authentica- 
tion systems. The available resources and knowledge about victims can directly 
affect the complexity of an attack on a biometric system. However, unlike other 
biometric features, the various data related to gait can be collected in public. In 
addition, applications [4-9] based on biometric uniqueness are increasing, so it 
is essential to ensure the robustness [2,4, 10-12] of the authentication system. 

We designed an attack plan, training 20 participants with similar physical 
conditions using the same gait, and conducted training lasting four months. 
This work complements the part about the failure to complete the zero-effort 
and minimum-effort attacks in mimic attacks [1]. Then, we used the existing 
gait recognition scheme as a target system and analyzed the results to study the 
reasons behind underperformance. 

We propose a new algorithm by studying feature loss, long-time training, and 
muscle memory. We use the direction of force lost in calculating the acceleration 
value to calculate the similarity. This process does not require the use of new 
sensors or equipment. The experimental results show that our method performs 
better than the multi-device multi-sensor solution. Furthermore, it is stable in 
multiple scenes. 


2 Related Work 


Human gait refers to a manner of walking, stepping, or running [13]. Kinetic 
studies and clinical studies on gait systems began in the 1950s. Gait is universal 
uniqueness [14], and according to that, we can extract gait features during walk- 
ing, and after classification and recognition, they can finally achieve the purpose 
of authentication or recognition. 


2.1 Attack Models of Behavioral Biometric Traits 


An attack on a biometric system challenges the uniqueness of a person’s behav- 
ioral biometric traits. A.K. Jain divided the attacks that can compromise the 
security provided by the system into two basic types: 
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Zero-Effort or Passive Attacks. The identification system uses biometric 
features to distinguish people. When there is a fundamental similarity between 
the attacker and victim’s features, it will cause a false match (FM). 


Adversary or Active Attacks. An attacker actively impersonates a legitimate 
user through knowledge about the victim and the biometric system. The attacker 
can spoof the identity system by using digital or physical artifacts with the 
victim’s characteristics. 


2.2 Gait Recognition for Authentication 


In 2005, Ailisto et al. [15] published their research on using a WS-based app- 
roach for gait analysis. It is the first work in this area to our knowledge. After 
that, researchers used many kinds of motion sensors [16-18] for collecting the 
motion of specific body parts. Studies by Gafurov [19] show that different human 
limb movements have different degrees of uniqueness and universality. Nowadays, 
smartphones have many built-in sensors, such as accelerometers, gyroscopes, 
and magnetometers. Gait analysis based on dedicated wearable sensors made it 
possible to use the smartphones’ built-in sensors for authentication. Since2009, 
smartphone-based gait authentication has become a hot research area, and many 
researchers have made significant contributions [1,20-24]. With the populariza- 
tion of devices such as smartwatches and sports bracelets in recent years, authen- 
tication schemes that combine multiple devices have gradually emerged [2,4]. 


2.3 Impersonation Attacks 


Although human gait is unique, the detection system is often not perfect, so 
many researchers are keen to design various imitation attacks to break through 
the existing authentication system. 

In Stang’s work [25], 13 students volunteered to contribute to his experiment. 
During the imitation process, the attackers did not see the victims’ gaits, but 
only a simple description displayed on a big screen. The drawback in Stang’s 
work is the experimental environments, too few data points can hardly form a 
curve, sample rate as low as 30, and 5 s is too short of making the gait from 
start to natural. 

Gafurov et al.’s experiment [26] divided the attackers into two parts: the 
“friendly” scenario and the “hostile” scenario. In the former scenario, partici- 
pants walked naturally in their styles, while participants tried to imitate their 
partners in the latter scenario. A dedicated sensor was attached to the belt 
around the right hip. Gafurov et al.’s results indicated that the chances of accept- 
ing impostors employing a minimal effort, mimicking the “hostile” scenario, is 
not higher than the chances of impostors succeeding in the “friendly” scenario. 

Based on the work of predecessors, Mjalaand et al. [27] divided their exper- 
iment into three scenarios: friendly, short-term hostile, and long-term hostile. 
In the friendly scenario, they selected one victim and six attackers from par- 
ticipants. The selected victims had visible gait characteristics that made the 
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imitation process more accessible, and the victim’s gait is steady to suffer psy- 
chological and outside influence. The attackers who were close in height to the 
victims were selected. This research using belt attachment. Muaaz [1] pointed 
out that watching a video or looking at a walking data chart obscures many 
details of the target. 

In Muaaz’s study [1], the chosen five attackers were acting students trained 
as mime artists, specializing in mimicking body motions and body language. 
Like previous studies [26,27], in 29% of impersonation attempts, attackers lost 
regularity while mimicking the victim. 

Rajesh Kumar et al. [28] and Babins Shrestha et al. [2] used digital treadmills 
to train attackers. Although the attacker has a sample of the victim’s gait pattern 
in this attack, the attacker does not imitate it. They use a treadmill to restrict 
the attacker’s gait features, such as speed, step length, stride length, and match 
the features extracted from the victim’s walking pattern. 

In summary, there are already excellent solutions in the scenario of zero-effort 
attack, and the scenario of active attack requires us to focus. So when designing 
a gait authentication system, the following criteria must be considered: 


1. Robust: The system needs to resist the attacker’s mimic attacks and passive 
attacks in different scenarios. 

2. Fast: Based on ensuring precision and recall rate, perform faster authenti- 
cation. 

3. Lightweight: Based on ensuring accuracy, minimize resource consumption, 
including memory consumption and power consumption due to calculation. 


3 Design and Implementation of Attack 


The rationale of biometric systems is using the uniqueness of physiological fea- 
tures to resist attacks. However, in the actual scenario, if the features cannot 
distinguish between the attacker and the legitimate user, the attacker will be 
authorized. For a lightweight system, the attacker can not pass authentication 
is the essential requirement; the victim’s performance can be much better than 
the “Same” evaluation. 


3.1 Our Motivation 


Our attack mode inspired by Cauchy sequence (Eq. 1) in math: A sequence {2;} 
of elements in a metric space {X,d} such that for any € > 0 there is a number 
N such that: 


d nilm) LE Ym,n > N (1) 


In a successful impersonation attack of the gait authentication system, the 
attacker’s performance can get the “Same” evaluation of the system. Since the 
legal user’s performance is on the “Same” side, at least two different people 
will get the system’s “Legal” evaluation in a successful attack. That leads to 


Active Attack and Basic Countermeasures 85 


our attack: in the evaluation function of an authentication system, make the 
performance of at least two users as similar as possible and get the “Legal” 
evaluation. Base on the theory above, we suppose to use one action specification 
to train the participants and then detect whether the system can separate each 
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(a) Imitation Attack (b) Our Attack 


Fig. 1. Imitation attack and our attack 


As shown in Fig. 1, we do not use the imitation method of Fig. la but use 
Fig. 1b to implement our attack. We use the same action method to train all 
participants and then use their gait after training to make comparisons. Increased 
FAR or incorrect authorization will indicate the effectiveness of our attack. Our 
attack scheme has performed well on some systems, and we will discuss this result 
in later chapters. Besides, the training method designed in this way can well 
avoid the “wolves” (better imitators) and “sheep” (more likely to be imitated) 
problem [29] among the participants. Using uniform movement specifications and 
participants’ are similar in size, which made “sheep” cannot exist. Furthermore, 
the participants’ training time is long enough, and they formed muscle memory 
of the gait; in this situation, the advantages of “wolf” are also no longer apparent. 


3.2 Participant Demographics 


We invite 20 young men who will participate in the selection of honor guards to 
join our research. Before being invited, they had at least three months of military 
training and four months of Goose-step training which experience allowed them 
to persevere in our training program. Since the selection qualifications include 
body values, which provides great convenience for our research, the values of our 
participates are similar: all participants were male and of similar age, height, 
weight. 


3.3 Training Instructions 


Before participating in our research, the participants have gone through quite a 
long goose-step training. We combined the goose-step with the gait of ordinary 
people to design our walk style. 
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We train the participants of this gait for one hour a day for three months. Par- 
ticipants are required to walk every day in this style. In addition to daily individual 
training, they also train together every Sunday. Besides, we asked participants to 
walk in a queue when meeting other participants in daily life. The primary purpose 
of this training method is to build muscle memory of the training gait to avoid the 
problems of improvisation and irregular in the previous studies [1]. 


3.4 Performance of Our Attack on Previous Method 


To examine the effectiveness of the attack we designed, we implement Muaaz’s 
method [1] as the evaluation standards. 


Cost / Distance 
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Fig. 2. Our attack on the existing system. 


Figure 2 shows our attack effects in the existing scenario. The horizontal 
axis is the gait period arranged in chronological order, and the vertical axis 
is the distance between the gait and the template. The polyline represents the 
DTW distance (or cost) between the participants and the victim’s gait template. 
The blue one is the evaluation of the victim; the other four polylines represent 
the best four attackers’ performance. The smaller the distance, the higher the 
similarity with the victim. It can be seen from Fig. 2 that it is difficult to find a 
value as a threshold to distinguishing attackers and the victim. 
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Fig. 3. Distribution of the best four attacker-victim pairs when using acceleration 
values to calculate DTW distance. 


Figure 3 shows the distributions of DTW distance of the four attacker-victim 
pairs in all attempts. In the figure, the horizontal axis represents the DTW dis- 
tance of the participant’s gait and the template, and the vertical axis represents 
the distribution density. From the figure, we observe that the attackers’ data are 
similar to the victims’. 
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Obviously, after a training period, the previous gait recognition system based 
on acceleration values did not distinguish between attackers and a victim by 
using a threshold; in other words, our attack can confuse the system to produce 
misjudgment. 


3.5 Reasons Behind Underperformance 


According to the performance of our attack, we need to study the reasons behind 
the result. 


Muscle Memory. All the participants in our study formed muscle memory 
of the gait through long-term training. Thus all the participants can avoid the 
problems of improvisation and irregularity found in previous work [1]. We can 
see the results from Fig. 2 and Fig. 3, which show that participants have stable 
performance. Furthermore, the result shows that the gait we designed has become 
participants’ own. 


Detailed Instructions. The gait details used in training are all quantified, and 
the training process includes single training and collective training, which avoids 
mutual compromise during joint training [30,31]. 


Feature Loss. The raw data obtained from the accelerometer is the acceleration 
in three directions of the mobile phone are three vectors (az(t),a,(t),a-(t)). In 
calculating the acceleration value (see Eq. 2), lost the characteristic of the direc- 
tion, and finally, only a scalar (A(t)), acceleration value, is remained. Therefore, 
it will be vulnerable when only relying on one feature to deal with our attacks. 


A(t) = y az(t) + az (t) + az(t) (2) 


4 Our Authentication Approach 


In this section, we introduce our system and its components and algorithm. 


4.1 Approach Overview 


Our goal is that the system can authorize attackers who have been trained 
together with legitimate users for a long time under the same instruction. In 
addition, we also need to minimize the use of resources while meeting the essen- 
tial authentication functions. After many attempts, we use the changing of the 
force in walking as the feature of our study. Thus we use the data collected by 
the accelerometer to construct an authentication scheme. 

We first preprocess the obtained raw data and then divide it into gait cycles. 
After aligning the coordinate system, we calculate the distance between the 
current user’s gait from the victim’s template, and we use spherical radian as 
the distance unit in the calculation. Finally, using the evaluation system to decide 
whether to authorize the current user. 
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4.2 Data Preprocessing 


The primary function of data preprocessing is to convert the raw data into usable 
gait cycles. 
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Fig. 4. Data preprocessing 


Walking Data Extraction. Since the start time of the gait data record is 
earlier than the start time of the walk, and the end time is later than the end time 
of the walk, it is necessary to remove the non-walking phase data. In our study, 
we used 250 sample points as a sliding window. When the value of acceleration 
exceeds the threshold (the default value is 16) for five consecutive windows, it 
indicates that these windows are in the walking phase. 


S-G Filter. Raw data contains random noise, and we used S-G [32] filters (as in 
(3)) to filter out significant portions of the high-frequency content and noise and 
minimize the error while maintaining waveform and height. As shown in formula 
3, X- (XT. X y - XT is the convolution coefficient, Y is the observation value, 
and Y” is the smoothing result. 


Y’=X.(x7.x)”' 


-X?.Y (3) 
Cycle Extraction. We took 200 consecutive sample points from the middle of 
the data as a sliding window and then slid back in steps of 1 to get a series of 
data sets containing 200 sample points. The sums of the Euclidean distances of 
each point set and the corresponding point in the first window were calculated, 
finally yielding a distance sequence. The distance between the local minimums 
is the length of the cycle, and then the number of sample points per cycle is 
averaged. 
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After finding the length of one cycle, we began to divide the data set into 
separate cycles. We used 1.5 times the cycle length of the interval to detect the 
local minimum. When obtain a minimum value, starting from the index of that 
point, we created a new interval (length of 1.5 times the cycle length) forward. 
We searched the local minimum from the vicinity of a cycle length position 
within this interval. The use of 1.5 times the period as the interval length is 
due to the uncertainty of the gait. Although there is always a deviation in the 
interval length of each step, the deviation will not be too large (see Fig. 4a). 


Gravity Separation. During walking, the direction of gravity relative to the 
smartphone’s coordinate is constantly changing. Since the value is too significant 
(approximately 9.8 m/s?) to ignore, we need to eliminate the contribution of 
the force of gravity. From the built-in filter in Android, we can obtain linear 
acceleration through the function Sensor. TY PE_ACCELEROMETER. 


Abnormal Cycles Removal. Occasionally, some accidental situations caused 
data anomalies during walking, and we needed to remove the abnormal cycles. 
We used DTW (dynamic time warping) to determine the degree of dispersion of 
the cycles and cross-compare the DTW distances between different cycles. We 
removed cycle pairs that had a significant deviation from the distance. 


4.3 Coordinate Aligning 


In order to assess whether the direction of the force can be used as a feature 
to identify the movement of the people’s gait, we made a simple comparison. 
Figure 5 show the differences of direction in a gait cycle between victims alone 
and victims with attackers. From this, we can see that based on the victim’s gait 
template (red triangle and orange line), the attacker’s performance (see Fig. 5b) 
is more chaotic than the victim (see Fig. 5a). Therefore, we believe that we can 
use the force direction as an essential feature for identity verification. 


(a) Comparison of the two gait cy- (b) Comparison of the gait cycle of 
cles of the victim victim and attacker 


Fig. 5. Differences in the direction of acceleration 
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According to the distribution characteristics of Fig. 5, we need to rotate the 
coordinate system of the gait data obtained in the certification process to make 
it conform to the coordinate system of the template. 


Direction Extraction 
Acceleration is a vector with magnitude (or length) and direction. We determined 
the magnitude A(t) from (2) in Sect. 4.2. Therefore, we can obtain the direction 
on the three axes: 
Ay ay az 
dy, = —~, dy = —., d, = —~ 4 
> aay OT AD & > Aw L 

Using (4), the acceleration can be changed into a unit vector with length 
1. Applying this method to the gait data, we will get a sequence of ordered 
point sets distributed over a unit sphere. Each point represents the direction of 
acceleration, that is, the direction of the force at that time. 


Distance Between Cycles 

The shortest path between two points on a sphere, also known as an orthodrome, 
is a segment of a Great-Circle. The spherical distance can be measured using arc 
length, which is the angle between two points in polar coordinates. We can use 
the inner vector product to calculate the angle: 


(5) 


In (5), the lengths of vectors are 1, so the distance between the two points 
is: 


dist(a,b) = 0 = arccos (a. b) (6) 


In addition, according to our statistical results, the angle between two adja- 
cent points is between 0 and 0.57, because based on our sampling rate, no one 
can swing his or her leg more than 90° in such a short time. 


D(i—1,j) 
D(i, j) = dist(i, j) + min 4 D(i, j — 1) (7) 
D(i—1,j-— 1) 


We used the formula (as in (7)) to calculate the distance between cycles. The 
calculation is using in the template creation phase and the authentication phase. 
A shorter distance means more similar to the template. If the distance is below 
a certain level, we will decide on the success of the authentication. 

Finally, we cross-compare the cycles and calculate the distance. We use the 
KNN (k-Nearest Neighbor) algorithm to determine which cycles to submit for 
the system. If it is in the registration phase, the submitted cycles using as legal 
user’s template; the distance will be saved for the authentication function to get 
the threshold. If it is in the verification phase, the system using it to calculate 
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the distance. We will drop it for the cycles that the distance is far from the 
current template (the default distance is 450). 


Coordinate System Alignment 

Before comparison, we need to align the coordinate system of the new data with 
the template. We will reposition the phone before the data collection each time, 
causing the offset in the position and the twist of the orientation. 

In p = [0,p], we can represent a three-dimensional vector as a pure quater- 
nion. In q = [cos 30,sin 50], we use a rotation quaternion to represent the 
rotation, where ô represents the axis of rotation and 0 represents the angle of 
rotation around ô. Finally, using (8), we can get the vector p’ after vector p is 
rotated by the quaternion q. 


p= apq* (8) 


(a) Distribution of distance of vic- (b) Distribution of distance of vic- 
tim’s two cycles tim and attacker 


Fig. 6. Differences in the distribution of cycles 


According to Fig. 6, for different participants, the distance in a cycle in the 
middle part is significantly shorter than the remaining part (most of the points 
is less than 0.2). Therefore, we use that part to calculate the quaternion, then 
use the entire cycle to get the distance. 

Using the Lagrange multiplier to calculating the shortest distance, we can 
obtain the quaternion required to rotate the coordinate system. The quaternion 
represents the rotation and then applies to other data cycles. At last, we are 
using the rotated cycles to calculate the similarity. 


4.4 Similarity Comparison 


As mentioned in Sect. 4.3, we measure the distance between the current user’s 
live template and the saved template. When the distance is below the threshold, 
return the confidence score (the maximum value is 100%). If the confidence score 
exceeds 50%, we consider the current user (and the user in the template) to be 
“Same.” 
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5 Performance and Discussion 


Our experiment uses two OPPO-R9s, two MI8s, and one MI8 SE as devices to 
collect gait data; twenty participants (mentioned in Sect. 3.2). We installed the 
app on the devices and then saved the calculation results and the original data 
separately and recorded the timestamps for future research. When collecting 
data, participants place the smartphone in the front right pocket of the trousers. 
Moreover, participants must walk for at least 1 min in the trained gait. The 
detection error tradeoff (DET) curve, which represents the performance based 
on our approach (given in Sect. 4)’s false match rate (FMR) and false non-match 
rate (FNMR) errors. Finally, we achieved an EER of 5.3%. 


5.1 Performance of Our Approach 


Since the attacker does not need to imitate a specific victim in our scheme, 
we can select the best-performing attacker-victim pair for evaluation. Figure 
7 shows the confidence scores of the best-performing attacker-victim pairs for 
authentication. 
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Fig. 7. Best-performing attacker-victim pairs. 


Figure 7 shows the confidence scores of the best-performing attacker-victim 
pairs for authentication. The results show that no attacks were successful; that 
is to say, our scheme can resist our attacks. However, in the 6% scenario, the 
victim did not pass the verification of his template. We checked the timestamp 
and found that most of this event occurred at the end of the walk, and the 
confidence scores of the victims would fluctuate greatly. When we extended the 
walking time, the appearance of this phenomenon was delayed. One possible 
reason is that when the walk is nearing the end, the participants’ attention will 
shift to other aspects, such as waiting for a stop signal or preparing to take out 
the device, thus losing the stability of their gaits. At this stage, the real-time 
scores of the victim and the attacker also cause large fluctuations. 
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In addition, we analyzed the original data sequence and found that 1.7% of 
attacks were successful in the best-performing victim-attacker pair. The peak of 
confidence reached 54.1%, but this data was abandoned during the data prepro- 
cessing (Sect. 4.3) and failed to enter the authentication phase. 


5.2 Performance Under Different Gait 


As mentioned in Sect. 3.2, we recruited 20 participants. We collected three differ- 
ent gait data from them (gait of their own, our trained style, and the goose style). 
We collected ten sets of data for each participant’s gait and finally divided them 
into about 1200 samples (for each gait). We use 10-fold cross-validation to mea- 
sure the performance of participants. Compared with the previous multi-sensor 
authentication system using random forest, our results have similar precision 
and recall rates. 


Table 1. Result of our approach 


FNR | FPR | Recall | Precision | F1-score 
Goose step 0.093 | 0.092 | 0.907 | 0.907 0.907 
Training style | 0.077 | 0.082 | 0.918 | 0.922 0.920 
Own style 0.054 | 0.053 | 0.945 | 0.946 0.945 


6 Conclusion 


Research in the field of mobile-based biometrics is continuing. In our work, we 
propose and implement a novel attack scheme to evaluate the reliability of the 
gait recognition scheme. We designed and implemented an Android application 
to record the user’s exercise data. Although a human can not imitate other’s 
gait, we have proved that it is possible to successfully attack specific gait ver- 
ification systems. Based on that, we propose a new gait authentication scheme 
to defend against this attack and to upgrade our application. In the attack sce- 
nario, we achieved an EER of 5.3%. Moreover, it achieved the same precision 
and recall rate as the verification scheme [2] using multiple devices and machine 
learning algorithms. Although the data used in the attack scenario only contains 
a few topics, the results of this study complement previous work [1] and prove 
that high-intensity training can increase the attacker’s chances of passing the 
verification system. We believe that there is a decline in similarity in training to 
imitate (the attacker loses the regularity of his pace while imitating the victim). 
After that, it rises (muscle memory formed as the gait becomes natural). 

In future work, we want to solve some related problems. We want to infer 
some physical information of the phone holder based on the acceleration data. 
Moreover, we want to know how long it takes to learn and adapt to a new gait to 
pass specific gait verification systems. We can study these issues as information 
security topics. 
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Abstract. Due to miniaturization of sensor nodes and the ease and low cost of 
deployment, the use of Wireless Sensor Networks (WSN) has grown rapidly. Sev- 
eral fields are concerned, including environmental monitoring, e-health, precision 
agriculture, and smart home. These sensor nodes have limited resources, espe- 
cially energy resource. An efficient management of this resource is necessary for 
the effectiveness of these networks. Several energy management solutions have 
been proposed in the literature, including clustering. In this paper, we propose a 
new approach based on the LEACH-CS protocol called Balance Member’s Nodes in 
LEACH-S (BMN-LEACH-S). This approach allows, first to balance the number 
of member nodes between the different clusters. For this purpose, a fuzzy logic 
system using as basic metrics the number of nodes in the cluster and the RSSI 
with the cluster head are used during the construction of the network topology. 
Second, it allows to allocate a quantum of energy to each Cluster Head (CH) after 
which the CH gives up its role to another node. This CH selection is done in turn. 
BMN-LEACH-S reduces instability of WSN due to the frequent change of CHs 
and increases network lifetime as a result of balancing nodes between clusters. 


Keywords: Balance nodes - Energy consumption - LEACH - Fuzzy system - 
WSN instability 


1 Introduction 


A sensor network is a set of nodes deployed in a study environment to collect and 
transmit data to a sink. These sensor nodes are applied in many domains such as smart 
homes, precision agriculture, e-health to automate and facilitate information gathering 
and monitoring tasks. These sensor nodes generally run on batteries and their deployment 
environment often does not allow them to be recharged. Therefore, once a node runs 
out of energy, it becomes unusable. This has a direct impact on the life of the network. 
Facing this problem, researchers are working on all layers of the OSI model to propose 
solutions that optimize energy consumption in these sensor nodes. One of the best known 
techniques at the network layer is clustering routing. The LEACH protocol and several 
of its variants are part of this routing approach. LEACH-S [1] is an enhancement to 
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LEACH [2] that eliminates the cluster rebuild cycles that consume energy in the network. 
However, in LEACH-S to elect a new cluster head, the outgoing Cluster Head (CH) 
compares the residual energy to the average residual energy of the cluster to make a 
decision. This could lead to instability in the network because the residual energy of the 
CH quickly falls below the average. This leads to a frequent change of CHs, causing 
instabilities in the network. Also, in LEACH-S after the initial cycle, clusters are formed. 
A node remains in the same cluster indefinitely. As a result, the nodes acting as CHs in 
clusters with more nodes than average deplete faster than others. This cause instability 
in the cluster due to the rapid change of CHs. To provide a solution to these problems, we 
proposed a new approach called Balance Member Nodes in LEACH-S (BMN-LEACH- 
S). This approach consists of balancing different nodes between clusters when building 
the network. This balancing is done based on a fuzzy logic system using the parameters 
number of nodes in the cluster and Received Signal Strength Indication (RSSI). Also, 
BMN-LEACH-S solves the problem of fast CH changes in LEACH-S by assigning a 
quantum of energy to each CH instead of relying on the average energy of the cluster. 
At the end of this quantum, the CH could be replaced by another node chosen among 
nodes not yet elected as CH. The main contributions of our research are: 


Saving energy by avoiding to CH the computation and exploitation of the average 
residual energy of the cluster. 

Reducing the size of the control message by removing the field used to collect the 
residual energy of the nodes. This helps to reduce the routing overhead and thus reduce 
the energy consumption of the nodes. 

Reduced network instability due to frequent CH changes. 

Better traffic distribution and thus better distribution of the CHs’ energy consumption. 
This improves the network lifetime. 


The rest of this paper is organized as follows. In Sect. 2, we present related work. Our 
proposed solution, BMN-LEACH-S, is described in detail and we conduct an analytical 
performance evaluation of our approach compared to LEACH-CS in Sect. 3. We conclude 
in Sect. 4. 


2 Related Work 


Please Wireless sensor nodes are very often manufactured with non-rechargeable bat- 
teries. These nodes therefore have limited energy autonomy. A sensor network does 
not work well when some of the nodes run out of energy. Energy conservation and the 
lifetime aspect of the sensor network are important challenges in the wireless sensor 
network environment. To address these challenges, many routing techniques have been 
proposed including those based on clustering. 

LEACH protocol [2] is the one cluster-based communication protocol following 
a hierarchical routing approach. LEACH uses random rotation of clusters to evenly 
distribute the energy load among network nodes. LEACH improves energy management 
through a load balancing and data aggregation. 
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PEGASIS [3] is an improvement of the LEACH protocol. However, unlike LEACH 
which is based on a cluster formation, the main idea of PEGASIS is that each node 
receives and transmits to its close neighbours and takes the lead role for transmission to 
the base station. To achieve these energy conservation goals, PEGASIS performs data 
fusion at every node except the end nodes of the chain. To do this, a distance threshold 
is set between neighbours to be a leader. This approach allows the energy load to be 
distributed equally among the sensor nodes in the network. PEGASIS saves energy 
compared to LEACH. 

In a network of sensor nodes, instead of each node sensing information and sending 
it to the sink individually, HEED protocol [4] proposes a distributed clustering scheme 
so that a cluster node head takes care of the transmission to the sink. The HEED protocol, 
has the task of circulating the server role between all the nodes of the cluster for balance 
maintenance between the residual energy of all the nodes constituting the cluster. This 
will increase the lifetime of the network. 

LEACH-B [5] is an improvement of LEACH that takes into account the residual 
energy at the sensor nodes. Thus after the first selection of the cluster head according to 
the LEACH protocol, a second selection is introduced to modify the number of cluster 
heads taking into account the residual energy of the nodes. This allows a balanced 
distribution of clusters in the network. LEACH-B, by favouring nodes with a good energy 
level in the selection of cluster heads, provides a longer network lifetime compared to 
LEACH. 

To solve the long-range problem between cluster heads and the sink in LEACH, 
Kaur et al. [6] propose a technique of electing a master node near the sink called Master 
Cluster Head. The latter will be responsible for aggregating and transmitting data from 
the different cluster heads to the base station. In sensor networks, most of the energy is 
consumed during the long distance transmission. The advantage is therefore the reduction 
of the communication between the cluster heads and the receiving node. 

In LEACH, the residual energy and the distance between the base station and the 
sensor node are not considered in the process of electing the cluster head nodes. The 
energy efficient cross layer-LEACH model for a wireless sensor network is proposed in 
[7]. It addresses the problem of collecting correlated sensor data from a sink node in 
a WSN. CL-LEACH maximizes the network lifetime by considering the routing layer, 
physical layer and link access to the MAC layer. In addition, the residual energy and 
the distance between the node and the base station are taken into account for cluster 
head selection. The energy consumed during data transmission between the cluster head 
and the base station is directly proportional to the distance between them. After the 
routing mechanism, the CL-MAC model is processed by taking the threshold value, the 
remaining energy and the node as input. Initially, the position of the node is updated and 
the neighbouring node with a distance of one hop is estimated. In addition, it checks 
whether the node is in the neighbour list or not. If it is, then it checks if the remaining 
energy is greater than the threshold value. If the condition is met, then the relay node is 
selected. Once the node is equal to the destination, then the data will be processed and 
stop at the relay station. 
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In order to reduce the energy consumption of the sensor nodes, authors proposed a 
super cluster head [8] (CH) to collect data from the CHs to send to the receiving node. 
Moreover, these super CHs use fuzzy temporal rules to perform optimal routing. The 
first cluster head is responsible for data collection and has low mobility. The super CH 
is static in nature and performs all types of routing and monitoring activities towards the 
other CHs. 


3 Our Solution: BMN-LEACH-S 


To cope with the rapid change of CH and its corollaries, we propose a new approach called 
BMN-LEACH-S. This solution, on the one hand, proposes a technique for balancing 
the number of cluster member nodes based on a fuzzy logic system exploiting the basic 
metrics: number of nodes already managed by the CH and the RSSI of the target node 
with the CH. On the other hand, it proposes a simple and efficient technique to change 
the CH of a cluster based on the determination of an energy quantum to be used up 
by each CH before it hands over to another node (new CH). These new mechanisms 
contribute to balancing traffic load among different CHs and thus reduce the instability 
of some clusters and increase the lifetime of the network. 

Our BMN-LEACH-S algorithm runs in cycles, and each cycle consists of two phases: 
the configuration phase and the stable phase. The configuration phase of the initial cycle 
consists of cluster head election process and the cluster choice process by nodes based 
on a fuzzy system metrics. For the other cycles, the selection of a new CH is performed 
by the outgoing CH. 


3.1 CH Election Process in the Initial Round 


As in LEACH-S, in BMN-LEACH-S, the initial cycle begins with a setup phase where 
each sensor node decides whether or not to act as a CH for that particular round. This 
decision for a sensor node to act as CH is based on the value of the number (between 0 and 
1) randomly selected. A node becomes a cluster head for this first round if this number 
is below a predefined threshold. It then broadcasts a control message announcing its CH 
status. Unlike LEACH-S, in our approach, the CH announcement messages include the 
number of nodes already in the cluster. 


3.2 Node Membership Process in a Cluster 


When a node that is not a CH receives an announcement message from a CH, it sends 
its membership request message to the CH. In the case where this node receives an 
announcement message from several CHs, it calculates the cost associated with each 
CH using the fuzzy system. The fuzzy system takes as parameters RSSI and the number 
of member nodes contained in the CH cluster. The process of calculating the cost of the 
CH by our fuzzy system is presented in Appendix 1. The node will choose the cluster 
whose CH has the best cost. After that, it sends a membership message to the concerned 
CH. This message contains its identity information. 
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3.3 Cluster Heads Change Process 


The cluster head function is played in turn. Unlike LEACH-S which averages the cluster 
energies and compares them with its residual energy, in our new approach, to solve 
the instability problem in clusters, we define a quantum of energy that the CH node 
must exhaust before giving up its place to another node. To do this, the outgoing CH 
node informs the new CH of the list of nodes that have already been elected and also 
the list of nodes not yet elected. Thus, the cluster head will choose a node from the 
list of not-yet-elected nodes as its successor and add its identity to the list of already- 
elected nodes before handing over its role. When all the nodes rotate as cluster head, i.e., 
when a CH has no more nodes in the not-yet-elected list, then the already-elected list is 
automatically copied to the not-yet-elected list, then the elected list is emptied, and the 
process starts again. Thus, member nodes will no longer need to inform the CH of their 
energy status, thus avoiding burdening the control packet. The approach also helps to 
avoid the operations of calculating the average of the residual energies of the different 
nodes of the cluster and its comparison with the CH. 


Analytical evaluation of the solution 

To highlight the relevance of the proposed solution, we conduct an analytical study. 
This study consists in describing and comparing the operating process of LEACH-S and 
BMN-LEACH-S. To do so, we first describe the environment of our study. Then, we 
present the results of the analytical experimentation. Finally, we analyse and interpret 
the results from the study. 


3.4 Estimation Context 


We consider two identical 17-nodes networks, one running with the LEACH-S protocol 
and the other with the BMN-LEACH-S. We observe the process of these two networks 
in different communication rounds (TOT1T2...T16). We assume that during a commu- 
nication round, a member node consumes 0.5 Energy Units (EU) to communicate with 
its CH and the latter also uses 0.5 EU for the processing of each received message. 
Therefore, to process messages from N nodes, the CH needs N*0.5UE. A CH chooses 
a replacement when it exhausts an amount of energy equal to C = 4UE. In the experi- 
mental phase, the 17 nodes formed 3 clusters named cluster I, cluster J and cluster K. 
Each node has 20 UE as its initial energy. 


3.5 Experimental Results 


Experimentation with LEACH-S 

In LEACH-CS after the initial phase, the network formed 3 clusters I, J and K. These 
clusters I, J and K contain respectively 9, 7 and 3 nodes. NIL, NJ1 and NK1 are the 
cluster heads of cluster I, J and K respectively. 
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In round T1, we have the topology shown in Fig. 1. The cluster head is in blue and 
the other nodes in green. The links symbolize the direction of the communication. 


Cluster | Cluster J Cluster K 


Fig. 1. State of the network at tower T1 


The following table shows the energy status of the network nodes after the T1 round 
(Table 1). 


Table 1. Energy status of the network after the T1 round on LEACH-S 


Cluster | Cluster J Cluster K 
Node Nit NI2 NI3 NI4 NIS NI6 NI7 NI8 NI9 NJ1 NJ2 NJ3 NJ4 NJS NK1 NK2 NK3 
E 16 19.5 19.5 19.5 19.5 19.5 19.5 19.5 19.5 18 19.5 19.5 19.5 19.5 19 19.5 19.5 
Stat INSTABILITY STABLE STABLE 


Nodes periodically send data from their environments to the CH. A round corre- 
sponds to the event of sending data to the CH, i.e., a period. We repeat the experiment 
until round T16 and collect the information to count the number of instabilities on the 
network. We call INSTABILITY the change of CH. This change generates a specific 
broadcast of control messages to announce the new CH. We assume that the energy 
consumed by an ordinary (non-CH) node receiving a packet from a neighbouring node 
is negligible. A non-CH node destroys this packet at the network access layer. 

Table 2 Summarizes the information from rounds T1 to T16. 


INSTABILITY Experimentation with BMN-LEACH-S 

In BMN-LEACH-S, thanks to our member node balancing process, we end up this time 
with 7 nodes in cluster I, 5 in cluster J and 5 in cluster k. The CHs for these clusters I, J and 
K are respectively, NI1, NJ1 and NK1. As a reminder, in BMN-LEACH-S membership 
in a cluster is a function of the cost that the non-CH node has with the CH. Each node 
chooses the CH with which it has the highest cost. This cost is computed with our fuzzy 
logic system presented in Appendix 1. 
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Table 2. Summarizes the information from rounds T1 to T16 on LEACH-S 
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LEACH-S 
Clus- 1 J K 
ter 
Nodes NIL NI2 NIB NI4 NIS NI6 NI7 NI8 NI9 NUL NI2 NJ3 NJ4 NJ5 NK1 | NK2 | NK3 
TO 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 
TL 16 19. 19. 19. 19. 19 19. 19. 19. 18 19. al 19 19. 19. 
5 5 5 5 5 5 5 5 5 9.5 9.5 9.5 5 5 
Stat INSTABILITY STABLE STABLE 
T2 15. 15. 19 19 19 19 19 19 19 16 19 19 19 19 18 19 19 
5 
Stat INSTABILITY INSTABILITY STABLE 
T3 15 15 15 18 18. 18. 18. 18. 18. 15. 17 18. 18 18. 17 18. 18. 
5 5 5 5 5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T4 14. 14. 14. 14. 18 18 18 18 18 15 15 18 18 18 16 18 18 
5 5 5 5 
Stat INSTABILITY INSTABILITY INSTABILITY 
T5 14 14 14 14 14 17. TA 17. 14. 14, 16 17. 17. 15. 17 17. 
5 5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T6 13. 13. 13. 13. 13. 13. 17 17 17 14 14 14 17 17 15 16 17 
5 5 5 5 5 
Stat INSTABILITE INSTABILITY STABLE 
17 13 13 13 13 13 13 13 16 16. 13. 13. 13. 15 16. 14. 15 16. 
5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T8 12. 12. 12. 12. 12. 12. 12. 12. 16 13 13 13 13 16 14 14 16 
5 5 5 5 5 5 5 
Stat INSTABILITY INSTABILITY INSTABILITY 
T9 12 12 12 12 12 12 12 12 12 12. 12. 12. 12. 14 13. 13. 15 
5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T10 11. ia: 11. 11. 11. 11. 11. 11 08 12 12 12 12 12 13 13 14 
5 5 5 5 5 5 5 5 
Stat INSTABILITY INSTABILITY STABLE 
T11 11 11 11 11 11 11 11 07. 07. 1. 11. 11. 11 10 12. 12. 13 
5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T12 10. 10. 10. 10. 10. 10 07 07 07 11 11 11 m 08 12 12 12 
5 5 5 5 5 5 
Stat INSTABILITY INSTABILITY INSTABILITY 
T13 10 10 10 10 10 06. 06. 06. 06. 10. 10. 10. 09 07. 11. 11. 1 
5 5 5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T14 09. 09 09. 09 06 06 06 06 06 10 10 10 07 07 TI 11 10 
5 5 5 5 
Stat INSTABILITY INSTABILITY STABLE 
T15 09 09 09 05. 05. 05. 05. 05. 05. 09. 09. 08 06. 06. 10. 10. 09 
5 5 5 5 5 5 5 5 5 5 5 5 
Stat INSTABILITY STABLE STABLE 
T16 08. 08 05 05 05 05 05 05 05 09 09 06 06 06 10 10 08 
5 5 
Stat INSTABILITY INSTABILITY INSTABILITY 
Cluster I Cluster J Cluster K 


Fig. 2. Fuzzy-based CH selection of nodes in the respective clusters 


In round T1, we have (Table 3): 
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Table 3. Energy status of the network after the T1 round BMN-LEACH-S 


Cluster | Cluster J Cluster K 
Nodes NIL NI2 NI3 NI4 NIS NI6 NI7 NJ1 NJ2 NJ3 NJ4 NJ5 NK1 NK2 NK3 NK4 NK5 
E, 19.5 19.5 19.5 19.5 19.5 19.5 18 19.5 19.5 19.5 19.5 18 19.5 19.5 19.5 19.5 
Stat STABLE STABLE STABLE 


We repeat the experiment until round T16 and collect the information to count the 


number of instabilities on the network. Table 4 summarizes information from rounds T1 


to T16. 
Table 4. Information from the network running on BMN-LEACH-S 


BMN-LEACH-S 
Clus- [j J K 
ter 
Nodes NIL NI2 NI3 NI4 NIS NI6 NI7 NJ1 NJ2 NJ3 NJ4 NJS NK1 NK2 NK3 NK4 NKS 
TO 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 
TE 17 15. 19. 19. 19. 19. 19. 18 19. 19. 19. 19. 18 19. 19. 19. 19. 
5 5 5 5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T2 14 19 19 19 19 19 19 16 19 19 19 19 16 19 19 19 19 
Stat INSTABILITY INSTABILITY INSTABILITY 
13 13. y 18. 18. 18. 18. 18. 15. 17 18. 18. 18. 15. 17 18. 18. 18. 
5 6 5 5 5 5 5 5 5 5 EJ 5 5 5 5 
Stat STABLE STABLE STABLE 
T4 13 y 18 18 18 18 18 15 15 18 18 18 15 15 18 18 18 
3 
Stat INSTABILITY INSTABILITY INSTABILITY 
T5 12. 12. 15 17. 17. 17. 17. 14. 14. 16 17. 17. 14. 14. 16 17. 17. 
5 5 5 5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T6 12 12 12 a7 17 17 17 14 14 14 17 17 14 14 14 17 17 
Stat INSTABILITY INSTABILITE INSTABILITE 
7 11. 11 11. 14 16. 16. 16. 13. 13. 13. 15 16. 13. 13. 13. 15 16. 
5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T8 11 1| 11 rkl 16 16 16 13 13 13 13 16 13 13 13 13 16 
1 
Stat INSTABILITY INSTABILITY INSTABILITÉ 
T9. 10. 10. 10. 10. 13 15. 15. 12. 12. 12. 12. 14 12. 12. 12. 12. 14 
5 5 5 5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T10 10 10 10 10 10 15 15 12 12 12 12 12 12 12 12 12 12 
Stat INSTABILITY INSTABILITY INSTABILITY 
T11 09. 09. 09. 09. 09. 12 14. 11. 11. 11 11. 10 11. 11. 11. 11. 10 
5 5 5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T12 09 09 09 09 09 09 14 11 11 11 11 08 11 11 11 1 08 
Stat INSTABILITY INSTABILITY INSTABILITY 
T13 08. 08. 08. 08. 08. 08. 11 10. 10. 10. 09 07. 10. 10. 10. 09 07. 
5 5 5 5 EJ 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T14 08 0j 08 08 08 08 10 10 10 07 07 10 10 10 07 07 
8 
Stat INSTABILITY INSTABILITY INSTABILITY 
T15 07. 07. 07. 07. 07. 05 07. 09. 09. 08 06. 06. 09. 09. 08 06. 06. 
5 5 5 5 5 5 5 5 5 5 5 5 5 5 
Stat STABLE STABLE STABLE 
T16 07 oj 07 07 07 02 07 09 09 06 06 06 09 09 06 06 06 
7 
Stat INSTABILITY INSTABILITY INSTABILITY 
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From the analytical study we conducted, during the 16 rounds, according to Tables 2 
and 4, we notice that the total number of instability cases in LEACH-S for the whole 
network is 28 against 24 in BMN-LEACH-S. 


“6 Number of instabilities in the network 


20 


10 


LEACH-S BMN- LEACH-S 


Fig. 3. Number of instability in the network 


Looking in detail the number of instabilities per cluster, we notice that in LEACH-S, 
for clusters I, J and K, we have respectively 16, 8 and 4 cases of instabilities. In the 
network running with BMN-LEACH-S, with this experiment, we have the same number 
(8) of instabilities for each of the three clusters I, J, K (see Table 2 and Table 4). 


Number of network instabilities per 
cluster 


Tans f 
0 fie 


LEACH-S BMN- LEACH-S BMN- LEACH-S BMN- 
LEACH-S LEACH-S LEACH-S 


cluster | cluster J cluster K 


Fig. 4. Number of network instability per cluster 


3.6 Analysis and Interpretation 


The results of the experiments show that in all the networks, with the LEACH-S pro- 
tocol we observe 28 instabilities against 24 for BMN-LEACH-S (see Fig. 3.). The use 
of LEACH produces more instabilities than the use of BMN-LEACH-GS. If we anal- 
yse the results by cluster, the imbalance is more visible. In cluster I, we see that the 
CH was changed 16 times with LEACH-S versus 8 for BMN-LEACH-S (see Fig. 4.). 
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Knowing that each CH change induces special control message broadcast for new CH 
announcement, we can deduce that BMN-LEACH-S improves the routing load compared 
to LEACH-S. This leads to the reduction of the overall network energy consumption. 
BMN-LEACH-S also improved packet loss rate due to topology changes or network 
overload and average packet transmission delay. 

With these experiments, the CH was changed 8 times for each cluster driven by 
BMN-LEACH-S. We can say that BMN-LEACH balances the traffic load between the 
different CHs. This increases the lifetime of the network. 


4 Conclusion 


In this paper, we proposed a new clustering-based routing solution called BMN-LEACH- 
S. This method is an improvement of the LEACH-CS protocol to decrease the instability 
of some clusters due to frequent CH changes. Also, it solves the problem of unequal 
distribution of member nodes between clusters. To do this, BMN-LEACH-S allocates a 
quantum of energy to each cluster head. When the CH exhausts the quantum of energy, it 
appoints a replacement among the nodes not yet elected. Also, it implements a function 
based on a fuzzy logic system using the parameters number of nodes in the cluster and 
the RSSI to estimate the cost of a CH. Each node uses this cost to make its choice 
of CH. This allows more equitable distribution of nodes in the different clusters. An 
analytical evaluation of our solution shows that it reduces network instabilities compared 
to LEACH-S. This improves the lifetime of the network. This performance should be 
confirmed by extensive simulation and tesbed. 


Appendix 1 : The Fuzzy Function for Costing 


Our fuzzy node balancing solution works in three steps. The fuzzification of the analog 
values (number of nodes and RSSI), the inference system and the defuzzification. 


The Fuzzification Phase 

In this phase, we translate the analog input parameters (RSSI signal strength and number 
of nodes in the cluster) into discrete values between 0 and 1. The first parameter is the 
number of nodes in the cluster. Since our goal is to balance the size of the clusters, it 
is necessary to take into account the number of nodes (NN) owning each cluster so that 
the cluster with more nodes has less chance to receive a new node. Also, the second 
parameter is the signal strength (RSSI) between the node and the CH. We considered the 
signal strength so that the cluster with a good communication link has a higher chance 
of receiving the node. 

To do this, we use a membership function to translate these analog values. It should 
be noted that there are several types of membership function, namely the triangular 
membership function, the sinusoidal function, etc. But we have chosen the triangular 
membership function. Also, we choose the same linguistic variables to delimit our fuzzy 
sets (Very low, low, medium, high, Very high) for both parameters. 

For example, if a node has the choice between two clusters named I and J. The 
number of nodes in cluster I is 8 and its RSSI is 70 and the number of nodes in cluster J 
is 3 and its RSSI is 50. 
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Cluster I (NN = 8; RSSI = 70) Cluster J (NN = 3; RSSI = 50) 
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Number of nodes 


fuzzification process of number of nodes related to CH I and J 


0 10 20 30 40 50 60 70 80 90100 110 120 


RSSI(dbm) 


fuzzification process of RSSI related to CH I and J 


After fuzzification, cluster I has as fuzzy values (NN(0.66 high; 0.34 medium) 
RSSI(0.3 High; 0.7 medium)). cluster J has as fuzzy values( NN( 1 low) RSSI(0.4 


low; 0.6 medium)) 


The Inference System 


Once the different parameters have been translated into “fuzzy language”, the inference 
aims at building decision rules and finding for each of them the rule of belonging of the 
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conclusion. The construction of these rules, mainly based on “AND”, is mathematically 
translated in the following form. 


Rule i Description (Ri) Output rule 
(Cluster choice level) 

1 NN (very low) AND RSSI (very low) Medium 

2 NN (very low) AND RSSI (low) Medium 

3 NN (very low) AND RSSI (medium) High 

4 NN (very low) AND RSSI (high) Very high 

5 NN (very low) AND RSSI (very high) Very high 

6 NN (low) AND RSSI (very low) Medium 

7 NN (low) AND RSSI (low) Medium 

8 NN (low) AND RSSI (medium) High 

9 NN (low) AND RSSI (high) Very High 

10 NN (low) AND RSSI (very high) Very High 

11 NN (medium) AND RSSI (very low) Low 

12 NN (medium) AND RSSI (low) Low 

13 NN (medium) AND RSSI (medium) Medium 

14 NN (medium) AND RSSI (high) Medium 

15 NN (medium) AND RSSI (very high) Medium 

16 NN (high) AND RSSI (very low) Very low 

17 NN (high) AND RSSI dow) Low 

18 NN (high) AND RSSI (medium) Low 

19 NN (high) AND RSSI (high) Medium 

20 NN (high) AND RSSI (very high) Medium 

21 NN (very high) AND RSSI (very low) Very Low 

22 NN (very high) AND RSSI (low) Very Low 

23 NN (very high) AND RSSI (medium) Low 

24 NN (very high) AND RSSI (high) Low 

25 NN (very high) AND RSSI (very high) Low 
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After the establishment of the rule base, We use the truth values associated with the 
clusters to activate the rules using Zadeh operators. 


Cluster I 

Rule Value Result 

NN (high) AND RSSI (medium)) Min (0.66; 07) 0.66 low 

NN (high) ET RSSI (high)) Min (0.66; 0.3) 0.3 medium 
NN (medium) ET RSSI (medium)) Min (0.34; 0.6) 0.34 medium 
NN (medium) ET RSSI (high)) Min (0.34; 0.4) 0.34 medium 
Cluster J 

Rule Value Result 

NN (low) ET RSSI (low)) Min (1; 0.4) 0.4 medium 
NN (low) ET RSSI (medium)) Min (1; 0.6) 0.6 high 


Aggregating the Results 


This step of the inference consists in grouping all the rules. This aggregation is therefore 


done on the basis of logical “Or”, which translates into “Max”. 


Aggregation of the CHI values of Cluster I 


VH 


Aggregation of CHJ values of Cluster J 


80 90 100 
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VL L M H VH 


10 20 30 40 50 60 70 gg 99 100 


Cluster choice level in %. 


Defuzzification 

Defuzzification consists in transforming the fuzzy output subset into a non-fuzzy value 
called the cluster head cost. A node wanting to integrate into a cluster will choose the 
cluster whose CH offers a better cost. To compute the cost, we will use the weighted 
average method which consists of averaging the maximums of the output values. 


T'palK)-(K) 
2 „Halk 


30*0.66+ 60*0.34 
Cost (CHI) = ———— =40.2 
0.66+ 0.34 
40*0.4+ 60*0.6 
Cost (CH= —————————— = 52 
0.6+ 0.4 


So the node will choose cluster J because it is the CHJ that offers a better cost. 


References 


1. Bendjeddou, A., Laoufi, H., Boudiit, S.: LEACH-S: Low Energy Adaptive Clustering Hierarchy 
for Sensor Network (2018). https://doi.org/10.1109/ISNCC.2018.853 1049 

2. Wendi, H., Anantha, R.C., Hari, B.: Energy-efficient communication protocol for wireless 
microsensor networks. In: Proceedings of the 33rd Annual Hawaii International Conference 
on System Sciences (2000). https://doi.org/10.1007/s00440-002-0224-4 


LEACH-S Enhancement to Ensure WSN Stability 113 


. Lindsey, S., Raghavendra, C.S.: PEGASIS: power-efficient gathering in sensor information 
systems. IEEE Aerosp. Conf. Proc. 3, 1125-1130 (2002). https://doi.org/10.1109/AERO.2002. 
1035242 

. Ossama, Y., Sonia, F.: ‘HEED: a hybrid, energy-efficient, distributed clustering approach for 
ad hoc sensor networks.’ IEEE Trans. Mob. Comput. (2004). https://doi.org/10.1109/TMC. 
2006.141 

. Mu, T., Tang, M.: LEACH-B: an improved LEACH protocol for wireless sensor network. In: 6th 
International Conference on Wireless Communications Networking and Mobile Computing. 
WiCOM 2010, pp. 2-5 (2010). https://doi.org/10.1109/WICOM.2010.5601113 

. Kaur, K., Deepika, S.: Improvement in LEACH protocol by electing master cluster heads to 
enhance the network lifetime in WSN. Int. J. Sci. Eng. Appl. 2(5), 110-114 (2013) 

. Marappan, P., Rodrigues, P.: An energy efficient routing protocol for correlated data using 
CL-LEACH in WSN. Wireless Netw. 22(4), 1415-1423 (2015). https://doi.org/10.1007/s11 
276-015-1063-4 

. Selvi, M., Logambigai, R., Ganapathy, S., Ramesh, L.S., Nehemiah, H.K., Arputharaj, 
K.: Fuzzy temporal approach for energy efficient routing in WSN. In: ACM International 
Conference Proceeding Series, vol. 25-26 (2016). https://doi.org/10.1145/2980258.2982109 


W 
~ 


Check for 
updates 


M-ODD: A Standard Protocol 
for Reporting MANET Related Models, 
Simulations, and Findings 


Izabela Savić), Marshall Asch, Keefer Rourke, Fatemeh Safari, 
Patrick Houlding, Jeremie Fraeys de Veubeke, Jason Ernst, and Daniel Gillis 


University of Guelph, Guelph, ON, Canada 
{savici »masch,krourke,safarif ,phouldin, jfraeysd, dgillis}@uoguelph :Ca; 
ernst jasoni@gmail.com 


Abstract. There has been a steady increase in the number of research 
publications in the Mobile ad hoc Network (MANET) domain over the 
last two decades. However, several studies have indicated that the cred- 
ibility of MANET simulation publications may be in question because 
numerous publications lack vital information (e.g., simulation tools, vari- 
ables, parameters used) and statistical rigor. This has led to issues of 
repeatability and reproducibility of previous work and calls into question 
the validity of the simulation results which are difficult or impossible to 
verify. To address this, we propose a modified Overview, Design Con- 
cepts, and Details (ODD) protocol, based on the work of Grimm et al., 
as a standard documentation protocol for MANET simulation studies. 
The MANET ODD (M-ODD) protocol will promote credibility within 
the domain of study by increasing repeatability, reproducibility, and sta- 
tistical rigor. 


Keywords: MANET - Mobile ad hoc - Ad hoc networks - 
Standardization - Simulation - Scientific communication - 
Documentation protocol 


1 Introduction 


Mobile ad hoc Networks (MANETs) provide a means of communication between 
mobile users without the need for fixed infrastructure (e.g., wireless internet 
access points). Interest in MANETs has grown over the years as its applications 
have become more widespread and evident. Such applications are providing com- 
munication in disaster relief, providing wireless connectivity in suburban envi- 
ronments, as well as providing communication in military situations [1,2]. How- 
ever, multiple surveys of MANET simulation papers have found the credibility 
of MANET research to be severely compromised. It has been observed that there 
is a “lack of reliability of MANET simulation-based studies” by Kurkowski et al. 
[3] and that less than 15% of MobiHoc papers published between 2000 and 2005 
are repeatable [3]. An analysis of MANET simulation papers published from the 
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Institute of Electrical and Electronics Engineers (IEEE) and the Association for 
Computing Machinery (ACM) between 2010 and 2017 held comparable results. 
It indicated that only 26% of papers were completely repeatable, and that there 
were design flaws, unrealistic assumptions, lack of reproducibility, and statis- 
tically invalid results in a large majority of published papers [4]. The reason 
most studies were found to lack reproducibility was that they were missing key 
information, such as the simulator used, type of simulation used, value of initial 
variables, number of simulations run, and Pseudo Random Number Generator 
(PRNG) information [3,4]. The lack of reproducibility reduces author credibility 
and hinders further academic progress within the field since the stable and reli- 
able groundwork that new researchers depend on to conduct their experiments 
and develop new methods is unverifiable, unreliable, or lacking in rigor. Instead, 
researchers must focus their efforts on correcting, verifying, or reinvestigating 
domain knowledge before further advancements can be made. Ultimately this 
reduces the credibility and trustworthiness of domain results. 

These challenges are not unique to MANET simulation-based research. In 
fact, simulation-based research involving agent-based and individual-based mod- 
els once shared similar issues: the research was difficult to replicate, difficult to 
understand, and was often described verbally rather than with equations, tables, 
figures, etc. [5]. These issues prompted Grimm et al. (2006) to create a standard 
documentation protocol for describing these models called the Overview, Design 
Concepts, and Details (ODD) protocol. The original ODD protocol included 
three main sections: Overview, Design Concepts, and Details. The Overview and 
Details sections were each further divided into three subsections. The Overview 
included subsections of 1) Purpose, 2) State Variables and Scales, and 3) Process 
Overview and Scheduling. Subsections of Initialization, Input, and Sub-models 
made up the details section. The protocol was updated in 2010 and again in 2020 
[6,7] to include a wider set of design concepts (e.g., adaptation, learning, predic- 
tion, sensing) [6], and to include example documents (e.g., TRACE documents, 
Nested ODD) to improve clarity, replication, and structural realism [7]. 

In this paper, we propose a modified version of Grimm et al.’s ODD doc- 
umentation protocol, to provide a standard documentation protocol for future 
MANET simulation studies. Specifically, we propose the addition of two subsec- 
tions to the details section that are necessary for reproducibility: System Require- 
ments, and Software Overview. These two subsections will allow researchers to 
reproduce documented simulations accurately by ensuring they have the cor- 
rect tools (e.g., simulation tools, computer setups, etc.) to do so. As such, 
the proposed MANET ODD (M-ODD), will provide a protocol for researchers 
to improve the reproducibility, consistency, and statistical soundness of their 
studies. Ultimately, M-ODD will improve the credibility of MANET simulation 
research. 

We begin with a summary discussion of the common pitfalls in MANET sim- 
ulation studies that have been identified in previous reviews, particularly those 
that hinder replicability and verifiability in Sect. 2. Following this, we present the 
subsections of the proposed M-ODD protocol in Sect.3. In Sect. 4 we evaluate 
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a series of MANET papers against the proposed M-ODD protocol (co-authored 
by one of the authors of this work) and provide specific examples that could 
improve the work. This is not to suggest that the findings are invalid, but that 
improvements in documentation could be helpful to ensure reproducibility of the 
work. Discussion and conclusions are provided in Sect. 5. 


2 Common Pitfalls in MANET Research 


In this section, we summarize some of the findings of two review papers of the 
MANET research domain. This is necessary to contextualize the proposed M- 
ODD framework. 


2.1 Simulation Identification 


Identifying the simulator used in a MANET simulation study is a key factor 
in determining a study’s validity and reproducibility. It is vital that researchers 
identify and list the simulator used in their paper. Of 114 simulation papers 
surveyed in [3], roughly 30% failed to identify the simulator used and 27% used 
a custom simulation tool. Similarly, fewer than 40% of the simulation studies 
reviewed in [4] reported the simulation tool and version used. Neglecting to 
specify the simulation tool and version, or failure to provide access to the cus- 
tom simulation tool compromises the repeatability and reproducibility of the 
simulation. 


2.2 Input Parameters 


Clearly identifying the input parameters used in a MANET simulation study 
is a crucial factor in determining a study’s reproducibility. It was found that 
10% of MANET simulation study papers surveyed in [4] did not report any 
parameters used in the simulation, and only 32% provided partial information. 
Of the papers surveyed in [3], 43% did not state the number of nodes used or the 
transmission range, 55% did not state the simulation duration, 64% did not state 
the number of simulation runs, and 47% did not state the size of the simulation 
area. The lack of incomplete parameters given (along with the lack of identifying 
simulation tools) rendered 53% of papers reviewed in [4] non-reproducible. It is 
important to list the input parameters, as the default parameters are not always 
appropriate for the purpose of the study. This may cause a researcher attempting 
to reproduce the simulation to choose incorrect parameters or assume that the 
default parameters are correct, making it impossible to reproduce (and verify) 
simulation results. See Fig. 1 for example. 
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parameter symbol value(s) 
Number of nodes n 127, 2110, 37777, 108360 
Node speed v (0,10) m/s 
Node pause time Pi (0,20) s 
simulation length T 4h 

world area 5km x 5km 
routing protocol DSDV 
messages sizes 512 bytes 
number of iterations per setup 30 

Radio model 802.11b, 2.4GHz 
propagation delay model constant speed delay 
propagation loss model log distance loss 
loss exponent 3 

loss reference loss 41.7dB 
antenna Rx gain 0 dB 
antenna Tx gain 0 dB 


Fig. 1. An example list of parameters from a proposed simulation study in [8]. 


2.3 Mobility and Propagation Models 


The mobility models used in a MANET simulation study are important for 
the verification of the study. This is because different mobility models result in 
different movement characteristics of nodes [9,10]. It allows other researchers 
to verify the validity of the study and the information presented. For example, 
using a freeway mobility model to represent node mobility of students walking 
on campus would be an inappropriate choice. In [4], Only 5% of studies provided 
complete information on the mobility and propagation models used, while 47% 
did not mention the mobility model used and 69% did not report the radio 
propagation model used. Additionally, in [3], 42% did not mention the type of 
mobility tool used, while approximately 57% did not state the type of mobility 
model used. For the correct conclusions to be drawn in MANET research, it is 
imperative that a peer reviewer be able to verify the validity of a MANET study, 
and to do so a researcher needs to provide complete information regarding the 
mobility model and propagation model used. It is also equally important that 
the appropriate mobility model is chosen, as using the incorrect mobility model 
renders the simulation and its findings irrelevant. 


2.4 Statistical Validity 


Statistical analysis is necessary to ensure the validity of findings of any 
simulation-based paper. MANET simulation studies are not exempt from this. 
Regardless, of the papers reviewed in [4], 84% did not report the seed value, 
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61% did not report the number of simulations run, and 66% did not report 
confidence intervals. Further, 64% of papers in [3] failed to indicate how many 
simulations were conducted. This is problematic as observations from a single 
simulation run should never be used for conclusive or generalizable results; single 
simulation runs fail to account for the stochastic nature of a simulation [3]. It 
is also important to identify sources of bias (removing or mitigating bias where 
possible) for a study to be statistically sound and generalizable. However, over 
90% of studies in [3] may have suffered from initialization bias - the influence 
of initialization settings on study results. The presence of this bias may result 
in “contamination” of the conclusions determined by the study. To avoid this 
bias, researchers often delay gathering data from a simulation for a given period, 
called the “warm up” period [11]. Overall, less than 6% of the simulation studies 
reviewed in [3] and [4] were statistically sound. Statistical validity is essential to 
the credibility of a simulation paper. Thus, it is important to provide all required 
statistical information, as “lack of statistical information puts the validity of the 
paper in doubt” [4]. 


2.5 File Accessibility and Sharing 


The lack of file accessibility and sharing impedes MANET research. It hinders 
the ability of researchers to reproduce a given simulation, which in turn makes 
the validity of a simulation extremely difficult to determine. Of the hundreds 
of MANET simulation papers available, it is impossible to expect a reader to 
be able to perfectly reproduce a simulation study with only a (partial) list of 
variables, functions, processes, equations, and the simulator details. Not being 
able to access simulation code and data sets creates a barrier for researchers 
trying to reimplement an algorithm. It leaves researchers and peer reviewers 
with no way to verify that the simulation was properly coded or configured, that 
the data used in the simulation was feasible, or that a replicated simulation is 
accurate. Despite this, not a single paper reviewed by [3] provided statements 
about code or dataset availability. This makes it so that new researchers cannot 
reproduce any studies [3], hindering further research and advances in the space. 
Thus, MANET simulation code, configuration files, and data sets should be 
publicly available, or described in sufficient detail to facilitate reproducibility. 


3 M-ODD Protocol 


The purpose of the M-ODD protocol is to provide a structure and guideline 
for future MANET simulation studies that ensures all information required to 
verify the validity of the study is present. The M-ODD protocol can be broken 
into three main sections with nine subsections (compared to the original seven 
subsections). We retain the three main sections of Overview, Details, and Design 
Concepts [5]. The Overview section remains unchanged with three subsections: 
Purpose, State Variables and Scales, and Process Overview and Scheduling. The 
purpose of the Overview section is to provide the reader with a skeleton of the 
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program implemented for simulations [5]. We follow the outline of the design 
concepts section, which discusses related general concepts, the design of the 
model, model objectives, and collection of observations [7]. We also propose two 
additional subsections (System Requirements and Software Overview) to the 
Details section to ensure that researchers know which materials are required to 
reproduce the simulation study. As such, the Details section is now composed of 
Initialization, Input, System Requirements, Software Overview, and Sub-models 
subsections. The details section aims to provide the reader with enough infor- 
mation to “re-implement the model and run the baseline simulations” [5]. 


3.1 The O of M-ODD: Overview 


Purpose. The Purpose subsection is used to justify the model chosen, and 
to list the goals of the model [5]. Due to the nature of MANET studies, it is 
important that all models and algorithms be listed in the Purpose subsection, 
along with a short and concise justification of the chosen model or algorithm, 
and what the researcher hopes to achieve with the use of the model or algorithm. 
For example: if one uses a random waypoint mobility model with a quality-of- 
service algorithm, there should be a brief description of the model and algorithm, 
appropriate references, and justification and expectations of both items. This is 
typically provided in the introduction of the paper [5]. 


State Variables and Scales. The State Variables and Scales subsection is 
used to list all the state variables needed for the simulation study. State vari- 
ables or low-level variables are variables that cannot be derived from other vari- 
ables. Such variables should include the number of nodes, transmission range, 
movement speed, pseudo random number generator seed, and more. The unit of 
measurement should be provided for variables that require them. State variables 
should be presented in a table along with a brief description of the variable (see 
table 3 in [5] for an example). Scales can be presented in a separate table with 
the scale name. Network topology can also be described. A list of all messages 
and functions should be provided (for examples, see [12,13]). Due to the con- 
siderable number of variables needed to conduct a MANET simulation, it may 
be challenging to list all variables in a table in a conference or journal paper. 
We suggest that variables most integral to the study be published in a table in 
the body of the paper, with a complete list of simulation variables provided in 
supplementary materials or publicly available. 


Process Overview and Scheduling. The Process Overview and Schedul- 
ing Subsection should provide the user with a “skeleton” of the functions and 
algorithms used in the simulation. Each process (including the order in which 
they are executed) and the effects of the process (including the order in which 
variables are updated) should be described for the reader [5]. If there are many 
processes used for the model, a table with all the processes listed should be pro- 
vided [5]. See section V of [13], or [14,15] for several good examples of this. In 
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particular, [13] describes the algorithms included in each function and the order 
in which the processes occur. To improve readability and understanding, the use 
of flow charts, sequence diagrams, class diagrams, and other UML diagrams are 
highly encouraged. 


3.2 The First D of M-ODD: Design Concepts 


Description of general design concepts begins with the inclusion of the basic prin- 
ciples and objectives of a simulation. General concepts, theories, hypotheses, and 
modelling approaches related to the simulation design are included here, as well 
as a description of how they relate to the simulation’s execution [7]. The scope 
of the system and applications of the simulation should be discussed, as well as 
its objectives, how the objectives will be measured, and potential thresholds to 
determine if a simulation has achieved its objectives [7]. The simulation design 
should also be clearly stated. 

In the case of MANET simulation studies, it is particularly important to 
address the following two questions as part of the simulation design: 1) how are 
things grouped, and 2) how are data collected from the simulation for testing, 
understanding, and analysis? [5]. In the former case, this question should be 
used to provide details about how a cluster is grouped, how a network partition 
is grouped, and so on (see [16] for a detailed discussion describing how a node 
is grouped into a network partition). In the latter case, details regarding the 
method of collecting data across all simulation runs are required. For example, 
if the first 400 seconds of data were ignored in a 2000-second-long simulation, 
justification and reasoning should be provided. If simulations were completed 
under different scenarios (e.g., using a different number of nodes, transmission 
range, grid size, etc.) then each scenario should be described, including purpose 
and justification for inclusion in the study. Researchers may also want to include 
a description of the traffic model here. Which nodes are sources and sinks? 
How many of each, how often are they generating packets? Of what size? Is 
the payload constant, or variable? Is it using TCP, UDP, QUIC, or something 
else? What is the network stack model? Is it using a TCP/IP stack? Is it using 
802.11 WLAN? Something custom? Has any of it been modified? If so, are those 
algorithms provided? 

Here we also discuss the results and analysis of the study, specifically address- 
ing whether the observed outcomes matched expected outcomes. For clarity, 
observations should be provided in accessible tables or figures (including the 
unit of measurement when needed). Figures should be labelled and drawn to 
support accessibility and understanding. Any other additional visual materials 
used to support the analysis of simulation results can be included in the obser- 
vation subsection. 


3.3 The Second D of ODD: Details 


Initialization. The Initialization subsection is similar to the State Variables 
and Scales subsection from the Overview section. However, rather than listing a 
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brief description of each state variable, we now provide a table with a list of all 
the state variables and their values. If the values change per simulation, then it is 
recommended to include multiple tables or a multi-column table with the values 
for each simulation run. The initialization table and the state variables table can 
be viewed as one table shown in [5]. Just as mentioned in the State Variables 
subsection, the units of measurement must be included with the values of the 
variables that require them. As a MANET simulation typically has hundreds of 
variables, it is unreasonable to expect all variables to be listed in the paper given 
space constraints. A reference to a publicly available table with all variables and 
their values should be provided in the paper or in supplemental materials. The 
initialization table must include: the transmission range, the transmission range 
type (e.g., asymmetrical), number of nodes, PRNG seed, number of simulations 
run (for each simulation type), data generation variables, how nodes are placed, 
the length of time the simulation is run. If there are additional factors that may 
alter the communication range of a node (e.g., constructive, or destructive inter- 
ference), they should be listed as additional notes relating to the initialization 
table. 


Input. The Input subsection follows a similar format to the Initialization sub- 
section. Specifically, a table describing all simulation input variables and their 
values across each simulation is required. If the number of input variables is large 
(relative to publication guidelines), a reference to a publicly available input file 
should be available. It is incredibly important that all input variables are pro- 
vided and correctly recorded, as the simulation output is a direct reflection of 
the dynamically input variables [5]. 


System Requirements. The System Requirements subsection provides the 
tools that a researcher will need to replicate output from a MANET simulation. 
For transparency, a list of system requirements should be provided. The list 
should consist of CPU specifications, the operating system and version, the kernel 
version, the storage space needed to run the simulation and host all the files and 
programs needed for the simulation, along with any additional requirements 
needed to run the simulation (for example, see Fig. 2). 


Software Overview. The Software Overview subsection is an essential subsec- 
tion of the M-ODD protocol, as there is no way to reproduce a simulation if the 
tools used to program and run the simulation are unknown to a researcher. To 
facilitate reproducibility, the simulation software and version should be docu- 
mented, along with any additional simulation software modules used. Animator 
software and version, code language and version, data types, variable settings, 
and encryption standards also need to be documented in the paper. In addition, 
if a finite state machine is used, the name of the machine, along with the appro- 
priate state diagram and transition table should be included. All configuration 
and scenario files and code should be made publicly available and referenced 
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Item Version 
CPU Ryzen7 2700x 
GPU ROG Strix 2080ti-OC 


Operating system Fedora 31 


Kernel version 5.8.18-100 
NS3 version 3.32 
Netanim 3.108 
Python 3.7.9 


Fig. 2. Example system requirements list [8]. 


in the paper. If a custom simulation tool was used, the simulation tool should 
also be made publicly available for download and referenced in the paper (or 
described in sufficient detail to support replication). See [17] for example. It is 
also recommended to reference a Docker image or an executable that is runnable 
on most machines. For example, the simulation study described in Fig. 2 indi- 
cates it was implemented using a Fedora 33 operating system, with kernel version 
5.12.8-200, using simulation tool NS3 version 3.32. 


Sub-models. The Sub-models subsection provides the reader with an in depth 
understanding of the processes listed in the “Process Overview and Scales” sec- 
tions in [5]. There are two approaches that can be taken to the Sub-models 
subsection, which depends entirely on the space limitation of the paper. The 
reader should be provided with enough detail to thoroughly understand and re- 
implement the model to complete the simulation themselves. The first option, if 
limited in space, is to supply a mathematical “skeleton” of the model [5]. The 
skeleton version should consist of a list of the equations, parameters and rules 
used in the model. Each equation and rule should have a brief explanation, while 
parameters should have a slightly more in-depth explanation. If the list of equa- 
tions is too long, a complete list should be referenced and publicly available to 
the reader. 

Our second option is to provide a full model description. The full model 
description is a more detailed version of the skeleton version. This means that 
the choice of equations and parameters should be fully explained and justified. 
All assumptions made must also be explained and justified. When completing 
a full model description, you want to answer questions such as: “What specific 
assumptions are underlying the equations and rules? How were parameter values 
chosen? How were sub-models tested and calibrated?” [5]. We can see a brief list 
of the parameters used in the model in Fig.1. To improve upon this table, we 
could include a brief explanation of the parameter. It would also be helpful to 
provide a list of equations used for the calculations of any parameters or values. 
In addition, when providing a full model description, we will be following the 
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“Inclusion of rationale” guide provided by Grimm et al. (Section 4.3, [6]). This 
includes providing clarity and credibility to the readers by answering “why was 
this model chosen?” [6]. 


4 Application of the M-ODD Protocol 


In this section, we begin with a review and ranking of a series of research publi- 
cations by Ernst and Brown [17-23]. Each paper is reviewed and ranked based 
on the presence (+1 point) or absence (no points) of information required by 
the M-ODD protocol. Each paper can achieve a total of 35 points: 6 points from 
the Overview section; 2 points from the Design Concepts section; and 27 points 
from the Details section. Points are achieved by including information such as 
initialization of variables, system requirements, design concepts, and any other 
information suggested in the M-ODD outline. Following this, we describe the 
work of [17] through the lens of the M-ODD protocol and in comparison to [18— 
23]. We chose to apply the M-ODD protocol to [17] as it was neither the highest 
nor lowest ranked paper, but still performed well in comparison to [18-23]. 


4.1 Ranking 


Each paper [17-23] was reviewed and scored using a simple presence/absence 
scoring system (see Table 1). The total score is a weighted average of the scores 
achieved in the Overview, Design Concepts, and Details sections of the M-ODD 
protocol. A score of 0% indicates that the article did not satisfy any of the M- 
ODD requirements, and we assert would be difficult to reproduce. A score of 
100% indicates that an article satisfied all the M-ODD requirements, and by 
extension should be reproducible. 

The lowest scoring paper [18] achieved a score of 16%. This score was due 
to the lack of inclusion of purpose, state variables, initialization variables, soft- 
ware overview, system requirements, input, and grouping information (to name 
a few). The paper provided insufficient information to allow a researcher to easily 
reproduce or verify it. The same can be said for [20] which scored only slightly 
higher at 19%. On the opposite end of the spectrum, [23] scored 61%. This paper 
satisfied all the requirements of the Overview section, Design Concepts section, 
and half the requirements of the Details section. The unsatisfied requirements 
of the Details section come from initialization values not being specified (i.e., 
transmission range, pseudo random number generator seed, etc.), as well as lack 
of information regarding system requirements. 

The remaining papers have scores that range between 30% and 40%. The 
variation is due to the amount of detail provided in the papers that sufficiently 
describe the initialization variables, system requirements, and software overview. 
None of the surveyed papers provided information describing the system require- 
ments, the pseudo random number generator seed, or the transmission range. 
Very few of them described the simulation tool(s) used, the number of nodes, 
the number of simulations run, or the length of the simulation. 
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Table 1. M-ODD protocol performance scores of [17-23] 


Article | Article total score Overview score | Design concepts score | Details score 
17 40% 75% 100% 28% 
18 16% 25% 50% 11% 
19 37% 75% 100% 24% 
20 19% 8% 50% 15% 
21 27% 33% 100% 20% 
22 30% 42% 100% 24% 
23 61% 100% 100% 50% 
Average | 33% 51% 86% 25% 
4.2 Application of the M-ODD Protocol 


In this section, we further explore Ernst and Brown’s research in [17]. Their study 
aimed to improve the performance of multi-hop wireless networks as peripheral 
nodes would often suffer from poor performance due to starvation. They analyzed 
the performance of multi-hop wireless networks using the mixed-bias technique, 
TS mixed-bias technique, as well as the evolutionary mixed-bias technique. Here 
we provide a detailed discussion of the scores this paper achieved in reference to 
the requirements of the M-ODD protocol. 


Overview. As indicated in Table 1, [17] achieved a score of 75% for the Overview 
section of the M-ODD protocol. This score was achieved because the paper 
clearly described its purpose and because it described the necessary details 
required of the Process Overview and Scheduling subsection. However, it failed 
to describe the state variables and scales that are needed to improve the repro- 
ducibility of the work. 


Purpose. The paper describes that the purpose of the use of mixed-bias schedul- 
ing is to “improve the performance of peripheral nodes in multi-hop networks,” 
and “give more resources to nodes closer to gateways to improve their abil- 
ity to handle their own traffic and peripheral traffic” [17]. This information is 
clearly included in the introduction and excerpt of the paper. Further, the paper 
describes how mixed-bias scheduling was chosen as “mixed-bias has a lower like- 
lihood of starvation compared to max-min, and proportional fairness may not 
contain a strong enough bias to support nodes which are multiple hops away from 
the gateway” [17]. Overall, [17] fulfilled the Purpose requirements, as it justified 
the scheduling algorithm chosen, as well as its main goal in the introduction. 


State Variables and Scales. In the case of state variables, not much infor- 
mation is provided. While the paper indicates that the number of routers used 
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in the simulation is 100, the number of clients is not known. Further, the pseudo 
random number generator seed is not provided, neither is the transmission range 
of the nodes. In terms of the State Variables and Scales subsections, [17] performs 
extremely poorly. 


Process Overview and Scheduling All information needed in the Process 
Overview and Scheduling subsection can be found in section 3 of [17]. In section 3, 
a handful of algorithms are provided to the reader, as well as a detailed expla- 
nation of the purpose and function of each algorithm. This provides the reader 
with a clear understanding of the “flow” of the program, along with its purpose. 


Design Concepts. Ernst and Brown’s research in [17] received a Design Con- 
cepts score of 100%. For grouping, the paper describes that nodes on the network 
were grouped into one of three types: gateway, router, client. We also note that 
all observational figures and graphs were labelled properly, and that the data 
was color coded depending on the algorithm used for readability. All graphs were 
followed by a paragraph discussing the results of the simulations. All the require- 
ments for the Design Concepts section were clearly satisfied by the information 
provided in [17]. 


Details. Ernst and Brown’s research in [17] received a sub-par score for the 
Details section of the ODD protocol (28%). The score was the result of failing 
to satisfy most of the subsections of the M-ODD protocol. 


Initialization. The initialization subsection performs well compared to other 
papers surveyed in this study, as the transmission type, number of nodes, and 
placement of nodes are discussed. However, the transmission range, pseudo ran- 
dom number generator seed, number of simulations run, length of time a simula- 
tion is run, as well as any data generation variables were not listed. Initialization 
variables can be found in Table 2. Additional information such as the number of 
nodes, the number of points that generate the nodes, and maximum delay time 
were also not included. These are all variables that are referenced in [17], but 
whose values are not defined. In addition, there is no reference to, or mention of, 
a file or additional table which holds all the initialization variables. Due to the 
considerable number of variables and unprovided values, [17] does not satisfy 
the requirement of the Initialization subsection. 


Input. There is no mention of whether any values were input into the simulation, 
and no table or additional file is referenced. 


System Requirements. The System Requirements subsection remains unsatisfied. 
There is no information regarding the CPU used, OS version and kernel, or stor- 
age space required. However, the paper does provide some information describing 
the finite state machine used (in the form of a state table and transition table). 
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Table 2. Initialization values described in [17] 


Parameter Value 

Size of network 100 (10 x 10 routers) 
a 0.5 

Bi 2 

B 2 5 


Transmission type | IEEE 802.11 
Inter-arrival rate 0.01 
Node distribution Uniformly distributed 


Software Overview. There is some improvement in the Software Overview sub- 
section, as we can note the simulation tool used is ns-3.13. However, information 
such as if any additional modules are required, the data types, variable set- 
tings, animator software version, and encryption standards are not mentioned. 
There is also no executable referenced. Some of the requirements of the Software 
Overview section are satisfied, but overall [17] performs poorly here. 


Sub-models. Various mathematical formulas and calculations are provided, along 
with an explanation of the variables, and purpose of the formula. Any assump- 
tions made are stated in the paper, along with a justification for the assumptions 
made. Most parameters are listed and explained, however, they are not provided 
in a table and the reader is forced to search through various sections of [17] to 
gather all the parameters. For that reason, we have created a list of parameters 
that can be viewed in Table3 that would improve the readability and ease of 
reproducibility. 


Table 3. Parameters of [17] 


Parameter Value 

a O<a<l 
Controls mix between strong and weak bias 

B N/A 

How strongly to bias against a characteristic? 

c N/A 
characteristic one wishes to bias proportionally against 

Qmaz N/A 


Limit of the maximum number of states a machine is allowed to 
process in an evolutionary process. 


TABUMOVE N/A 
Number of iterations before a new move is attempted on the network. 
TABURESET N/A 


How long before a reset back to the current known best solution 
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5 Conclusions 


Creating reproducible and credible work should be a top priority for researchers. 
Yet, there are and continue to be shortcomings in published MANET research 
that hinders reproducibility. As noted by previous reviews, a majority of Mobi- 
Hoc papers published between 2000 and 2005, and IEEE and ACM papers pub- 
lished between 2010 and 2017 are not reproducible. The aim of the M-ODD pro- 
tocol is to provide researchers with a standard format for publicizing MANET 
simulation research papers. This will in turn ensure that a simulation paper is 
reproducible, statistically sound, and credible. Improving the reproducibility of 
MANET simulation papers will allow peer reviewers to be able to verify the 
validity of the results presented, and provide a stable stepping stone for future 
researchers to be able to expand upon existing research and conduct the simu- 
lations presented with greater ease. 

Further, the M-ODD protocol should allow researchers to achieve the green, 
blue, or red Artifact Available badge (see [24]) for their simulations. The green 
artefact signifies that any artefacts are available in a permanent archival reposi- 
tory while a red artifact signifies that “a reviewer has verified that the artefact is 
documented, complete, consistent and exercisable” [24]. Lastly, the blue artefact 
means that an independent reviewer has successfully reproduced the study and 
obtained the results of the paper [24]. 

In the 4-year span between the publication of [5] and [6], Grimm et al.’s ODD 
protocol was included in over 50 publications. This is a result we hope to see 
in Mobile ad hoc Network Simulation publications with the presentation of the 
M-ODD protocol in this document. With the achievement of such a result, and 
a continuous increase of papers published using the protocol, the reproducibility 
of MANET simulation papers should improve over the years. 
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Abstract. The problem addressed in this paper is adaptable long range 
underwater acoustic communications. We use low frequency underwa- 
ter acoustic waves that have potential for long range communications. 
Underwater propagation conditions can vary considerably. We define pro- 
tocol elements for adaptable underwater communications. They comprise 
six frame formats with a wide range of robustness with respect to the 
underwater communication conditions. We vary the interval of symbols of 
4-tone Frequency-Shift Keying modulation from one format to another. 
This has the effect of increasing the SNR. Hence, the ability to operate 
in less favorable conditions. The performance of our design is evaluated 
through simulation. 


Keywords: Underwater communications - Weak signal 
communications - Arctic - Software-defined communications 


1 Introduction 


The underwater environment is a relatively new data communication challenge. 
The need for underwater communication is related to applications such as mon- 
itoring and surveillance of coastal waters [21], submarine activity sensors [22], 
autonomous undersea vehicles [10], underwater robots [7] and submerged air- 
plane locator beacons [29]. 

In this paper, we focus on low frequency acoustic communications [11,16]. We 
aim at long-range underwater acoustic communications that are robust to envi- 
ronmental changes. They are critical for wide-area surveillance systems devel- 
oped for the Canadian Arctic [12]. Recent studies [13] tend to demonstrate that 
underwater communications in high frequencies ranges can reach up to 10-to-20 
km with reasonable power levels. In contrast to high frequencies, Stojanovic has 
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pointed out that attenuation is lower in low frequencies [26]. The potential for 
very-long distance transmissions in low frequencies has been established [15]. 

In our research, we focus on the acoustic 200 Hz to 2 kHz frequency band 
for long-rang underwater communications. We also acknowledge that the narrow 
half-power bandwidth, associated with low underwater acoustic frequencies and 
long distances, limits applications to low data rates. In Refs. [1-4,8,18,19], we 
describe the design of a physical and frame layer protocol for long range under- 
water communications. In a recent companion paper, we have been able to show 
that we can achieve source-receiver separation distances well above 30 km in 
the Canadian Arctic environment [9]. The goal of the research presented in this 
paper is to improve the robustness of our communication system. We aim to 
achieve much larger source-receiver separation distances (in the order of 100-to- 
500 km) and introduce adaptability to environmental changes (such as variations 
in the nature or magnitude of noise, ice presence, and sound speed profile). The 
intention is to realize a design that can achieve long-range communications in 
the Canadian Arctic environment, in all seasons. 

In this paper, we define six frame formats with increasing degree of robust- 
ness. Our strategy is to increase robustness by augmenting the Signal-to-Noise 
Ratio (SNR), in particular the energy contained in every 4-tone Frequency-Shift 
Keying (4-FSK) symbol. The performance of the six frame formats is char- 
acterized through simulation. Building on these six frame formats, we define 
adaptability protocols to variable underwater propagation conditions. 

Related work is reviewed in Sect. 2. The underwater communication system 
design is reviewed in Sect. 3. The design of the receiver is outlined in Sect. 4. Its 
Matlab™ implementation is discussed in Sect. 5. Performance evaluation results 
are presented in Sect. 6. The adaptability protocols are specified in Sect. 7. 
Section 8 concludes the paper. 


2 Related Work 


Song et al. emphasized that one of the key underwater communication issues is 
adaptability to changing propagation conditions [25]. Most of the adaptability 
techniques rely on the use of feedback returned by the receiver to the source 
to dynamically adapt transmission parameters, such as modulation or Forward 
Error Correction (FEC) [5,6,24,28]. 

In this paper, we adapt the SNR to the propagation conditions. The SNR is 
defined as the following equation: 
P ER 


SNR=—= 
N BM 


(1) 


This equation tells that the SNR is equal to the ratio of the signal power (P) over 
the channel noise power (N). In turn, the signal power is equal to the product of 
the energy per bit (E») times the data rate (R). While the channel noise power is 
equal to the product of the channel bandwidth (B) times the noise power spectral 
density (No). It is a well-established fact that augmenting the SNR increases the 
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robustness of communications [23]. Indeed, higher SNR does achieve better Bit 
Error Rate (BER) and Frame Error Rate (FER). To increase the SNR, we can 
either augment the values of the numerators E, or R or lower the values of 
the denominators B or No. The noise power spectral density is function of the 
environment. The transmission power, hence the quantity Ep, can be cranked up 
at the expense of energy consumption. The transmission power is constrained 
by the capabilities of the equipment. The bandwidth can be narrowed. We do 
use a very narrow bandwidth signal already (4.4 Hz). In this paper, we make 
the choice of lengthening the time interval of symbols to improve robustness of 
underwater communications. The data rate R is reduced. For a given power level 
P, there is more energy in every bit (£,). The bit SNR (£,/No) is augmented, 
proportionally to the reduction of R. 


Table 1. Frame formats of the six communication modes. 


Mode |T (sec.) | F (sec.) | R (bps) | Efficiency k Samples/ | FFT bin 
symbol | width (Hz) 
1 min | 0.34 55.30 0.90 0.21 1 128 1.46 
2 min | 0.68 110.59 | 0.45 0.10 2 256 0.73 
4min | 1.37 221.18 | 0.23 0.05 4 512 0.37 
8 min | 2.73 442.37 | 0.11 0.03 8 | 1024 0.18 
16 min | 5.46 884.74 | 0.06 0.01 16 2048 0.09 
20 min | 6.83 1105.92 | 0.05 0.01 20 | 2560 0.07 


3 Communication System Design 


To support various underwater communication propagation conditions, we define 
six different modes of communications. Every mode has a corresponding frame 
format. Table 1 shows key design parameters for every format. 

The formats have common and specific parameters. For all modes, every 
frame comprises 162 channel symbols that encode 50 data bits. Convolutional 
FEC of the data bits yields 162 code bits. Every code bit is paired with a 
synchronization bit. Each pair makes a channel symbol. The 4-FSK complex 
modulation envelope frequencies are —2.2, —0.73, 0.73 and 2.2 Hz, corresponding 
to the channel symbols 11, 10, 01 and 00. The signal bandwidth is 4.4 Hz. Every 
mode has a specific symbol time interval (T) and, consequently a specific frame 
interval (F), the second and third columns in Table 1. The value of the third 
column results from the product of the number of symbols (162) time the symbol 
time interval. For each frame format, the fourth column shows the achieved 
effective data rate (the ratio 50/F). Defining the bandwidth efficiency as the 
ratio effective data rate over bandwidth, (the ratio R/4.4), the fifth column 
shows the bandwidth efficiency for every mode. 

In previous papers, we described several aspects of our communication system 
design. [1-4,8,18,19]. In the sequel, we focus on the aspects that are new and 
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required for the support of the six frame formats. We also briefly summarize the 
mechanisms that have been described in our previous papers. 


3.1 Physical Layer: 4-FSK 


We use 4-FSK modulation, a specific kind of Multiple Frequency-Shift Keying 
(MFSK). Orthogonality of MFSK symbols is guaranteed when the frequency sep- 
aration between symbols Af is equal to the ratio k/(2T), for a positive integer 
k (see Ref. [20], P. 110). As a function of the supported mode, the sixth column 
of Table 1 shows the value of the positive integer k. The resulting frequency sep- 
aration between symbols and signal bandwidth are the same for all modes, i.e., 
1.46 and 4.4 Hz. Despite the fact that six different frame formats are defined, solely 
on type of modulation needs to be supported. This simplifies the implementation. 


4 Receiver Design 


The receiver uses a common sampling rate for all supported modes, 375 samples 
per second. It means, that 187 Hz of signal bandwidth is simultaneously processed. 
The receiver searches for frames in a frequency domain representation of the signal 
bandwidth. This achieves an auto tune capability that can deal with frequency 
drifts due to Doppler effects and source-receiver miss frequency alignments. 


4.1 Frequency Domain Representation 


The seventh column of Table 1 shows the number of samples per symbol for 
every mode. The receiver constructs a frequency domain representation of the 
signal bandwidth using the Fast Fourier Transform (FFT). Every FFT spans the 
duration of two symbols. The eight column of Table 1 provides for every mode 
the FFT bin width (Hertz). The bin width is calculated dividing the sample rate 
by two times the number of samples per symbol. 

Using the frequency-domain representation, candidate frequencies are identi- 
fied as the presence of local Signal-to-Noise Ratio (SNR) peaks and correlation 
with the bit synchronization pattern. To find the peaks, the smoothed average 
magnitude level at each frequency bin is calculated. The magnitude is smoothed 
taking, for each frequency, the sum of the magnitudes of signals within the sig- 
nal bandwidth (4.4 Hz). The frequency domain representation is normalized with 
respect to the noise level. The smoothed representation of the spectrum yields can- 
didate frequencies, that is, signal peaks with potential frames. Candidate frequen- 
cies are examined to evaluate correlation with the 162-bit synchronization pat- 
tern. There is correlation when there is consistently energy peaks at signal posi- 
tions corresponding to synchronization bits. When a correlation with the bit pat- 
tern is confirmed, candidate frequencies are analyzed deeper. Following that sec- 
ond frequency-domain analysis, relevant parameters are obtained that include the 
estimated time shift (relative to the sample window start) and SNR. The next step 
resolves time delays and demodulate the signals at the candidate frequencies. 
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4.2 Soft Symbol Calculation 


We use Fano sequential decoding of convolutional codes [14,17]. It is sub-optimal, 
but it can process codes with long coding sequences, 32 bits in our case. Fano 
sequential decoding requires the calculation of soft symbols. We explain how 
we calculate soft symbols. Let £o, 71,...,% —1 represent the discrete complex 
samples of channel data. In 4-FSK, at every symbol position there are four 
possible symbol values. For every of the four 4-FSK possibilities, the power of 
the signal at every position is calculated. Over a symbol interval of length T, 
signal samples x; correlated with the waveform values e~/?7/+ are added together 
to obtain the total signal magnitude at every symbol frequency, 7 = 0,...,161 
and f = —2.2, —0.73, 0.73, 2.2: 


(i41)T 47-1 
Pup = 5 xy eIn 


t=iT +r 


This calculation of cumulative power is represented in the diagram of Fig. 1. 


Symbol (Time) 


a 


“a 10 OL. “00 Symbol 
-2.2 -0.73 0.73 2.2 Frequency (Hz) 


Fig. 1. At symbol position i, cumulative power for every of the four 4-FSK possible 
symbols (red-dotted line delimited). (Color figure online) 


The corresponding channel symbols, in binary, are also shown, 00,01, 10 and 
11. Every box, delimited by red dotted lines, represents a frequency-symbol- 
amplitude space where sample values x; for symbol 7 are correlated with wave- 
form values e~/?"/* and summed up resulting into a magnitude denoted as P; p. 
For every channel symbol, note that the most significant bit is the data bit while 
the least significant bit is the synchronization bit. 

For every symbol index 7, soft symbol g; is calculated, according to the value 
of synchronization bit at position s;: 


ci = si + (Pi2.2 — Pi, —0.73) + 78: + (Pio.73 — Pi,-2.2) (2) 
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When the synchronization bit (s;) is one, the term P; 2.2 — P; —0.73 represents 
the difference of power at the symbol corresponding to data bit one versus the 
power at the symbol corresponding to data bit zero. The term P; 9.73 — Pi, —2.2 
does the same when the synchronization bit at position i is a zero. A positive 
g; value proportionally indicates that the symbol at position 7 is a one, whereas 
a value of g; in the negative indicates proportionally, in the negative direction, 
that it is a zero. A near-zero g; corresponds to an ambiguous symbol. 

The soft symbol o; is mapped to a normalized score z;. Let SD denote the 
standard deviation of the 162 soft symbols. The score z; expresses soft symbol 
gi in scaled units of standard deviation SD, that is: 


Oi 


SD (3) 


The multiplicand 50 is the scaling factor. When the standard deviation SD is 
null, the score z; is equal to the product 500;. Finally, every score is mapped in 
the [1, 256] interval, adding value 129 to each of them. Figure 2 shows the scores 
obtained in non-noisy conditions (standard deviation is 265.55). Binary value 
zero is scored 79, while binary value one is scored value 179. Figure 3 shows the 
scores obtained in noisy conditions, with a 2.5 kHz SNR of —27 dB (standard 
deviation 30.02). The lowest values represent the most definite binary zeros, 
while the highest values represent the most definite binary ones. Finally, every 
score z; is mapped to a quality metrics q;. Figure 4 shows the quality metrics 
versus the scores. Small scores correspond to good quality zeros or poor quality 
ones, while it is the opposite for high scores. While the search is conducted for 
mapping channel symbols to data bits, quality symbols are tried first. When the 
decoding fails, alternative decoding with lower quality symbols is attempted. 


zi = 50 


5 Matlab Implementation 


Using the Matlab™ app designer, the Oceanus application has been developed. 
It supports all communication modes explained in this paper. Using the inter- 
face, the user has the option of choosing one of the available six frame formats 
(Table 1). The interface comprises two panels, see Fig. 5. The first panel is for 
the transmitter. It contains the option of typing hexadecimal data or generating 
random frames. The user also has the option of choosing the output device and 
carrier frequency. Moreover, quiet time, sampling rate and the type of output 
file are options the user can pick. The transmitter enables the user to either play 
signals directly to output devices or to save to files, giving the option to replay 
signals with many of the available audio applications. For simulation purposes, 
the user can add white noise to signals and generate signals with different SNRs. 
Oceanus also supports generating a probe signal. The probe signal can be used 
for adaptability. The user can choose frequency, sampling frequency, and file type 
in case the user chose to save the signal. The probe signal consists of six frames 
each in a different mode. Starting with mode 1 up to mode 6. The second panel 
is dedicated to the receiver. The user can click start the receiving state. The 
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Fig. 2. Non-noisy symbol scores. 


application starts listening for frames through the chosen input device. The user 
may choose the carrier and sampling frequencies. Oceanus provides the option of 
decoding in real-time from an input device or from files, in various audio formats 
(WAV, FLAC, OGG or MP4). Moreover, the receiver also supports adaptability. 
In the receiver panel, the start probe mode button would make the receiver start 
listening and try decoding the received signal using all the six modes in order to 
find the best mode. The code of the application is available online [27]. 


6 Performance Evaluation Through Simulation 


Figure 6 shows the FER versus SNR obtained through simulation for every 
frame format described in Table 1. Every data point is the average of 10 trials. 
For this simulation, the reference bandwidth is 6 kHz. A frame is considered 
error-free when it is transmitted and received with no bit error. When a frame 
contains one or more errors, the whole frame is in error. To obtain the target 
SNRs, white Gaussian noise is added to the signals. Every frame format exhibits 
a waterfall behavior, that is, an abrupt transition from a 100% to a null FER. 
This is a well-known phenomenon associated with convolutional coding. From 
the one minute to the 20 min formats, there is increase in robustness, that is, 
the ability to equally perform with a three dB drop SNR, from one format to 
another. Simulation results confirm the expected relative performance from one 
format to another. The symbol interval time, energy and SNR, in linear form 
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Fig. 3. Noisy symbol scores. 


are consistently multiplied by two from one format to the other. From the two 
minutes to the 20 min mode, the crest of the waterfall is shifted —10 dB, which 
is consistent with the fact that symbols contain 10 times more energy. 


7 Adaptability 


In this section, we discuss adaptability to propagation conditions leveraging the 
six frame formats defined in Sect. 3. Three two-way handshake protocols are 
outlined to select between two peers, an Initiator and a Responder, a frame 
format suitable to the propagation conditions. The goal is to select the less 
robust frame format that can be supported, since it is also the most efficient. 
Feedback based, the protocols are half duplex, full duplex or parallel. 


7.1 Half Duplex Feedback Protocol 


Figure 7 illustrates the first protocol, where half-duplex communications are 
assumed. There is an Initiator and a Responder. The Initiator starts the execu- 
tion of the protocol by sending a sequence of six frames. The frames are in the 
one to the 20 min modes. That is from the less robust, but most efficient, to 
the most robust, but least efficient. The goal is to determine the most efficient 
format that can be supported by the propagation conditions. After each frame 
transmission, the Initiator remains silent for a duration corresponding to the 
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Fig. 6. FER vs. SNR. 


frame time interval. It listens. In Fig. 7, at time tı the Initiator completes the 
transmission of the frame in the four minutes mode. The frame is received with 
success. The Responder confirms by sending a frame in the same format. From 
time t2, both the Initiator and Responder continue the conversation in the two 
minutes modes. For the sake of simplicity, Fig. 7 makes abstraction of processing 
time and propagation delays. Symmetric propagation conditions are assumed. 
The Initiator and Responder can periodically repeat the handshake to update 
the choice of frame format to changing propagation conditions. 


7.2 Full Duplex Feedback Protocol 


Figure 8 illustrates the second feedback protocol, where the six supported frame 
formats are sent sequentially by the Initiator, one after the other from time fo. 
Transmission completion is expected after a time corresponding to the sum of 
the time intervals all six modes. Slightly after time tı, the Responder receives 
with success the frame in the four minutes mode. It acknowledges with a frame 
in the same mode. Starting from time t2, the Initiator-Responder conversation 
can carry on in the four minutes mode. 
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Fig. 8. Full duplex feedback protocol. 


7.3 Parallel Feedback Protocol 


Figure 9 depicts a third feedback protocol. At time to, the Initiator sends the 
six frame formats in parallel. Slightly after time tı, the Responder receives with 
success the frame in the four minutes mode. It acknowledges with a frame in 
the same mode, reaching the Initiator at time t2. The sequel of the Initiator- 
Responder conversation can carry on in the four minutes mode, full duplex. 
This feedback scheme is possible only when the Initiator and Responder have 
the capacity to send and receive frames in parallel. 
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8 Conclusion 


We have introduced the design of six frame formats for underwater acoustic com- 
munications. The design addresses physical and link layer issues. The design has 
been implemented and evaluated through simulation in the Matlab™ environ- 
ment. Simulation results confirm a robustness increase from one format to the 
other. This is due to the fact that the symbol interval is doubled from format- 
to-format. It has proportionally the same effect on the bit SNR, for a given 
transmission power level. The six formats can be used for adaptable underwater 
acoustic communications. We have described three adaptability protocols, that 
can be chosen according to available acoustic communication resources. Note 
that the system design does not require dynamic memory allocation anywhere. 
Hence, the amount of required hardware resources is predictable, in particular 
memory. The system design can easily be implemented on resource constrained 
devices. 
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Abstract. Vehicular Ad Hoc Networks (VANET) supporting Vehicle- 
to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication can 
increase the efficiency and safety of the road transportation systems. 
V2V communication uses wireless technology and in scenarios with high 
vehicle densities, the communication channel faces congestion, negatively 
impacting the reliability of the safety applications. To address this, var- 
ious decentralized congestion control techniques have been proposed to 
effectively lower the channel load, by controlling different transmission 
parameters like message rate, data rate and transmission power. In this 
paper, we propose a novel data rate control algorithm to control the net- 
work congestion based on the Channel Busy Ratio (CBR). Simulation 
results demonstrate that the proposed approach outperforms existing 
data rate based algorithms, in terms of both packet reception and over- 
all channel load. 


Keywords: VANET - Congestion control - Vehicular communication - 
V2V - Basic safety message (BSM) - Intelligent Transportation System 
(ITS) 


1 Introduction 


Traffic accidents can occur due to various factors, such as hazardous road condi- 
tions, driving under the influence of alcohol/drugs, driver skill level, and speed- 
ing that could cause loss of property and lives [1]. Vehicular Ad-Hoc Networks 
(VANET) [2], a subset of Mobile Ad-Hoc Networks (MANET) [3], forms an inte- 
gral part of an Intelligent Transportation Systems (ITS) [4] aimed at improving 
vehicle and road safety. Generally, VANETs are composed of high-speed mobile 
communication nodes, i.e., vehicles traveling at high velocities, as well as infras- 
tructure nodes, such as roadside units (RSUs). Typical VANET characteristics 
include rapid changes in topology, high density of nodes in the network, and no 
energy restrictions [2,5]. Participating nodes (vehicles) in a VANET use wireless 


Supported by Natural Sciences and Engineering Research Council of Canada (NSERC) 


© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2022 
Published by Springer Nature Switzerland AG 2022. All Rights Reserved 

W. Bao et al. (Eds.): ADHOCNETS 2021/TridentCom 2021, LNICST 428, pp. 144-157, 2022. 

https: //doi.org/10.1007/978-3-030-98005-4_11 


Adaptive Data Rate Based Congestion Control 145 


technology to directly communicate with each other. This type of direct commu- 
nication between different nodes is known as vehicle-to-vehicle (V2V) commu- 
nication [5], and will be main focus of this paper. In addition to V2V, VANET 
also supports vehicle-to-infrastructure (V2I) and infrastructure-to-infrastructure 
(121) communications. 

VANET applications are categorized into service and safety applications [6]. 
Safety applications include forward collision warning, curve speed warning, pre- 
crash awareness, left turn to assist, emergency brake lights, lane change warning, 
etc. Service applications include route guidance and traffic optimization, info- 
tainment applications such as internet connectivity, media, payment services 
such as E-toll collection, etc. Many safety applications rely on periodic beacons 
sent by each vehicle, containing its status information. These periodic messages 
are referred to as Basic Safety Messages (BSMs) in the U.S. [7] and Cooperative 
Awareness Messages (CAMs) in Europe [8] and contain important information, 
including a vehicle’s current position, speed, acceleration, heading etc. These 
messages are sent through the channels allocated in the DSRC/WAVE system 
[9], and processed using the On-Board Units (OBUs) that are placed inside each 
vehicle. 

In the United States, the FCC has allocated 75 MHz spectrum in the 5.9GHz 
band for Dedicated Short Range Communication (DSRC) [10]. This spectrum 
is divided into seven 10 MHz channels with associated guard bands, from which 
channel 172 is assigned for exchange of safety messages [11]. A 6 Mbps data rate 
for BSM transmissions has been widely adopted for many VANET simulations 
[10,12,13], and also used in some standardization activities [14]. Other data rates 
have also been considered in some papers, e.g., in [15-17] 3 Mbps is used due 
to its low SINR requirement. Each vehicle typically transmits 10 beacons per 
second, which can cause heavy channel load as vehicle density increases. Channel 
congestion occurs when the load is high enough that the nodes start competing 
to acquire access to the channel [18]. It has been shown that when the channel 
load exceeds 40% of the channel capacity, packet collisions and packet delays 
grow rapidly [19]. Therefore, appropriate congestion control algorithms should 
be implemented to avoid channel congestion and ensure the proper delivery of 
messages. 

Most VANET congestion control techniques either reduce the BSM trans- 
mission rate or transmission power, or a combination of both, to reduce channel 
load. However, these can have a significant impact on the level of awareness 
of surrounding vehicles. In recent years, a number of papers have investigated 
adjusting the BSM transmission data rate (i.e. bitrate) to control congestion. For 
the remainder of the paper, we will use the terms data rate and bitrate inter- 
changeably. When lower data rates are chosen, packet transmissions take longer, 
but the signal strength is high, reducing the chance of corrupted or lost packets. 
On the other hand, when higher data rates are chosen, packet transmissions are 
faster, reducing channel congestion, but signal strength is also reduced. There- 
fore, it is important to choose a suitable data rate for each BSM transmission 
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that can balance the need for lower channel congestion and error-free packet 
reception. 

In this paper, we propose a new approach that dynamically selects an appro- 
priate data rate for each BSM transmission, based on the current channel busy 
ratio (CBR). Unlike existing algorithms that typically increment the bitrate only 
one level at a time, regardless of how high the CBR is, the proposed algorithm 
directly estimates the appropriate bitrate to use based on the current CBR value. 
This allows the channel congestion to converge to the desired level much faster, 
leading to lower packet loss and improved packet delivery ratio. Similarly, when 
current CBR is below the desired threshold, the proposed algorithm calculates 
the appropriate bitrate and starts transmitting directly using this bitrate, rather 
than moving through intermediate levels. Our simulation results indicate that 
the proposed approach is able to outperform existing data rate based algorithms 
in terms of both successful packet delivery rate and overall channel congestion. 

The remainder of the paper is organized as follows. In Sect. 2, we provide 
an overview of existing VANET congestion control approaches. In Sect.3, we 
present our proposed congestion control approach. We discuss our simulation 
results in Sect.4 and present our conclusions and some directions for future 
work in Sect. 5. 


2 Background Review 


In VANET, the safety messages are of two types: periodic and event-driven 
messages. Event-driven messages are sent whenever certain events like traffic 
accidents or road hazards are detected. On the other hand, Basic Safety Messages 
(BSMs), are sent periodically by each vehicle in the network, regardless of traffic 
conditions. This means that as the vehicle density increases, the total number 
of BSMs being transmitted also increases correspondingly. It has been shown 
that even with relatively simple traffic scenarios, the bandwidth of the allocated 
channel can quickly become depleted, leading to channel congestion [19]. In this 
section, we will first briefly review some of the important congestion control 
techniques that use message rate and power control. Then, we will focus on how 
the transmission data rate can be used for congestion control, as well as some 
hybrid approaches. 


2.1 Message Rate Based Approaches 


The default BSM transmission rate is 10 Hz, i.e., each vehicle normally transmits 
ten BSMs per second. Message-rate based approaches adapt the rate at which 
the messages are generated per second. As congestion increases, the message rate 
is reduced accordingly. The main limitation of these approaches is that reducing 
the message rate also reduces awareness and can affect vehicle safety, as most 
safety applications rely on up-to-date information from neighboring vehicles. 
Some well-known congestion control algorithms using message rate control are 
discussed below. 
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In [13], the authors proposed a new scheme called Linear Message Rate Con- 
trol algorithm (LIMERIC) that used linear feedback to adapt the message rate. 
The vehicles in a specific region sensed the channel load and adapted their mes- 
sage rates to meet the required predefined CBR. In [20], the authors proposed 
a new congestion control strategy called Periodically Updated Load Sensitive 
Adaptive Rate Control (PULSAR), where CBR was measured at the end of a 
fixed time interval and compared against the target value. When the measured 
value was higher than the target value, the transmission rate was decreased. 
This approach handled the channel congestion by maintaining the CBR below 
the predefined target value. In [15] the transmission rate was a function of both 
channel load (LIMERIC component) and vehicle dynamics (Suspected Tracking 
Error (STE) component). The LIMERIC component executed the LIMERIC 
algorithm and computed a periodic message rate based on the channel load. 
This message rate was used to schedule the next packet after every transmission. 
Meanwhile, STE component determined a time when the channel is expected to 
reach a threshold, and ensured that the packet is sent no later than that time. In 
[21] the authors proposed a method that extended the LIMERIC algorithm to 
control the total channel load according to a predefined target value. In [22], the 
vehicles transmit their packets by varying the beacon rates. The cars request 
their neighboring vehicles whether to increase/decrease the Beacon Transmis- 
sion Rate (BTR). The BTR adjustment requests, which depend on the channel 
condition, are sent by attaching them to the beacons that are broadcast by each 
vehicle. In [23], the beacon messages were scheduled according to the priorities 
and transmission power. Messages were dequeued automatically according to the 
priority queue model. In [24], the congestion control scheme adapts the message 
rate according to the local vehicle density. 


2.2 Power Control Based Approaches 


Transmission power determines how far a message can travel and get delivered 
successfully. The goal of power control is to adapt the transmission range based 
on the level of channel congestion. A low-power transmission means that only 
nearby vehicles can see the BSMs. This reduces awareness, but also lowers chan- 
nel congestion. 

In [25], the vehicles adjusted their transmission power according to their 
speed. This approach was able to reduce the beacon error rate and channel 
busy time. In [26], the vehicles made their packet transmissions using different 
transmission power levels, based on the surrounding vehicle density. When the 
vehicle density was high, low transmission power was used. During moderate 
conditions, medium transmission power was used and high transmission power 
was used when the vehicle density was low. In [27], the authors proposed a 
method called Distributed Fair Transmit Power Adjustment for VANET (D- 
FPAV) to achieve congestion control by adjusting the transmission power based 
on the application-layer traffic and number of vehicles in the surrounding. In 
[28], all vehicles in the network transmitted beacon messages with an initial 
transmission power. Then a forecasted value of congestion was calculated and 
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if it was less than a given threshold, then all cars increased their transmission 
power; otherwise, all the vehicles decreased their transmission power. In [29], the 
authors proposed to increase the awareness quality. Random transmission power 
was selected for each packet transmission and each vehicle controlled its power 
selection by using Complementary Cumulative Distribution Function (CCDF) 
because of its strong correlation with awareness quality. 


2.3 Data Rate Based Approaches 


The most commonly used data rate for BSM transmissions is 6 Mbps [12]. How- 
ever, it is possible to use other bitrates and DSRC has specified 8 possible rates 
that can be used: (3, 4.5, 6, 9, 12, 18, 24, and 27 Mbps). Data rate-based 
approaches adapt the bitrate used for BSM transmissions and this approach 
is gaining more attention in recent years [12]. 

In [30], the vehicles adapted their data rate based on the network’s channel 
load, which was calculated in terms of the channel busy ratio. Only the data 
rates between 3 and 12 Mbps were considered to avoid flooding. Four states 
were assigned depending on the channel load: relaxed state, active state 1, active 
state 2, and restrictive state. Each state had a different data rate for the vehicles 
to transmit the packets. In [31], the algorithm increased the data rate levels 
to reduce the CBR of the network. The transition from one state to another 
was done based on CBR measurements for every T seconds, where the states 
corresponded to the levels of congestion. The algorithm increased the level if the 
CBR was higher than the mean threshold C1, and maintained same level when 
the CBR was lower than the mean threshold C1 and greater than Cmin. In 
[32], packet count Pc was used together with the CBR measurements to adjust 
the data rate. The data rate D was adjusted depending on the packet count Pc 
measured for every second. 


2.4 Hybrid Approaches 


Instead of using a single parameter to control congestion, a number of recent 
approaches have proposed using a combination of different parameters, e.g. power 
and message rate, to effectively reduce channel load. Some interesting hybrid 
approaches that use multiple control parameters are discussed in this section. 
In [33], two different transmission power levels were maintained, where each 
vehicle sent a certain percentage of BSMs with high power and the rest with low 
power. This technique was combined with LIMERIC to further reduce conges- 
tion. This approach had a lower Beacon Error Rate (BER) compared to other 
approaches. In [34], the authors proposed a new mechanism called Combined 
Power and Rate Control (CPRC), which made the rate and power adjustments 
in a single loop rather than a two-phase approach. CPRC exhibited cooperative 
behavior by increasing the transmission rate of the nodes involved in a poten- 
tially dangerous situation and reducing the transmission power of the other 
nodes. This approach prevented the channel load from exceeding a predefined 
threshold value. In [29], the authors proposed a new congestion control strategy 
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called Random Transmission Power Control (RTPC) to reduce the channel load. 
RTPC was combined with TRC (Transmit Rate Control), and the sending rate 
was increased until the target load was reached. In [32], the authors proposed 
a combined data rate and message rate congestion control scheme. Beacon fre- 
quency was kept above the required minimum value by reducing the message 
rate. During high traffic densities, the data rate was increased to provide more 
channel capacity. This approach performed better in reducing the channel busy 
time. 


3 Proposed Approach 


The amount of time it takes to transmit a packet of a given size depends on 
the bitrate used for transmission. Using a higher bitrate reduces transmission 
time (and hence channel congestion) but also reduces the signal strength and 
the distance the signal can travel. 

In the proposed approach, each vehicle participating in the network estimates 
the channel load based on its measured channel busy ratio or CBR value. The 
CBR value measured by a vehicle represents the percentage of time the channel 
was sensed as “busy” by its OBU over a given interval. The overall motive of 
our congestion control algorithm is to maintain the CBR between two specified 
thresholds (cbrhigh) and (cbrlow), by adjusting the data rate of the transmitted 
BSMs. Thus, when there is very little traffic, the transmission bitrate is reduced, 
making the packets visible even to distant vehicles. On the other hand, when con- 
gestion is high, a higher bitrate is used that results in faster packet transmission, 
but potentially increasing the beacon error rate for distant vehicles. 

The data rate control algorithm (DRCA) shown in Algorithm 1 is used to 
determine the bitrate that will be used to transmit each BSM. Each vehicle runs 
this algorithm each time it is ready to send the next BSM. The transmission 
data rate is calculated based on the most recent CBR value measured by the 
vehicle, which is given as an input to the proposed DRCA scheme. 

During initialization, the high CBR (cbrhigh) and low CBR (cbrlow) thresh- 
olds are set and a list (B) of allowed bitrate values is also specified. Based on 
the current standards, the available bitrates that we have used are: 3 Mbps, 
6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps and 24 Mbps. So, we set B = [3, 6, 9, 
12, 18, 24]. The previous bitrate is specified using the parameter level, which is 
used as an index for the list B, to determine bitrate being used. For example, if 
level = 1 then the corresponding bitrate is B[1] = 6 Mbps. Finally, the param- 
eter mazlevel corresponds the highest possible index value for the list B and is 
given by maalevel = len(B) — 1. 

After initialization, depending on the above parameters and current measured 
CBR, value (cbr), Algorithm 1 executes and changes (if necessary) the bitrate 
for sending the next BSM. This same process is executed for the next BSM and 
so on. Each vehicle runs this process in its OBU, independently of the other 
vehicles. This means that it is a decentralized congestion control process, which 
does not require coordination with other vehicles. 
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Steps 2 to 11 are executed when the current CBR (cbr) goes below the low 
CBR threshold (cbriow). Step 1 checks if the current CBR (cbr) is below the 
threshold (cbrlow). If the condition is satisfied, then steps 2-11 are used to 
determine if a lower bitrate can be used. Steps 2 and 3 are used to assign the 
previous BSM bitrate as the new value. This will be used only if a lower bitrate 
cannot be found. Steps 4-10 are used to iterate through each potential bitrate 
value from bitrate from B[0] to B[level] to see if it can be used, i.e. the condition 
in step 5 is satisfied. Step 5 checks whether the expected CBR, when using the 
new bitrate B[i] falls below 95% of the high CBR threshold (highcbr). If so, the 
corresponding value of i is used to determine the bitrate to use (step 7), the loop 
is terminated (step 8) and these updated values of newlevel and bitrate (steps 
6 and 7) are returned. This means that the lowest possible bitrate that satisfies 
the condition in step 5 is selected as the new bitrate. 


Algorithm 1. Data Rate Control Algorithm 
Input: List of bitrate values (B), index indicating which bitrate in B is currently being 
used (level), high (cbrhigh) and low (cbrlow) CBR threshold values, and current 
CBR (cbr) 
Output: Updated bitrate values and newlevel 
1: if cbr < cbrlow then 
2: newlevel = level 


3: bitrate = B{newlevel] 

4: for i€ (0,level) do 

5 if cbr x (B[level]/Bli]) < 0.95 x cbrhigh then 
6: newlevel = i 

7 bitrate = Bii] 

8: break 

9: end if 

10: end for 

11: end if 

12: if cbr > cbrhigh then 

13:  newlevel = mazlevel 

14: bitrate = B[newlevel] 

15: for i€ (level + 1,mazlevel) do 
16: if cbr x (B[level]/Bli]) < 0.95 x cbrhigh then 
17: newlevel = i 

18: bitrate = B[newlevel] 

19: break 

20: end if 

21: end for 

22: end if 

23: if cbrlow < cbr < cbrhigh then 
24:  newlevel = level 


25: bitrate = B[newlevel] 
26: end if 
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Steps 13 to 22 are executed when the current CBR (cbr) is higher than the 
threshold (cbrhigh). This means that the channel is getting congested and a 
higher bitrate must be used. Step 12 checks if the current CBR (cbr) is below 
the threshold (cbrhigh). If the condition is satisfied, then steps 13-22 are used 
to determine if a suitable higher bitrate for BSM transmission. Steps 13 and 14 
are used to assign the highest possible bitrate as the new value. This will be 
used only if even the highest bitrate does not satisfy the condition in step 16. 
Steps 15-21 are used to iterate through each potential bitrate value from bitrate 
from next higher bitrate B[level + 1] to the highest bitrate B[mazlevel] to see 
if it can be used, i.e. the condition in step 16 is satisfied. Step 16 is similar to 
step 5 and checks whether the expected CBR, when using the new bitrate B[?] 
falls below 95% of the high CBR threshold (highcbr). If so, the corresponding 
value of i is used to determine the bitrate to use (step 18), the loop is terminated 
(step 19) and these updated values of newlevel and bitrate (steps 17 and 18) are 
returned. This means that the lowest possible bitrate that satisfies the condition 
in step 16 is selected as the new bitrate. 

Steps 24 to 26 are executed when the CBR (cbr) falls between high (cbrhigh) 
and low CBR (cbriow) thresholds, i.e. the condition in step 23 is satisfied. This 
means that the CBR is within the proper range and no bitrate variation is 
required since the channel load is already balanced. So, the level which is already 
in use will be assigned as the newlevel by step 24. Step 25 assigns the B[newlevel] 
as the next bitrate for the packet transmission. 


4 Results and Analysis 


4.1 Simulation Setup 


Testing the effectiveness of congestion control algorithms for VANET becomes 
difficult in real-world situations due to the costs incurred, required equipment, 
resources, and safety concerns. Therefore, we have used a simulation environ- 
ment to evaluate our proposed approach. We used Simulation of Urban Mobility 
(SUMO) [35] as the traffic simulator and Objective Modular Network Testbed 
(OMNET++) [36] as our network simulator. 

For our traffic model, we considered a 1000 m long four-lane highway com- 
posed of two lanes in either direction. There was a total of 80 vehicles in the 
simulation, each with a maximum speed of 50 km/h. The simulation was run for 
120 s. To generate different levels of channel load, we used different combinations 
of BSM packet sizes and beacon intervals, as indicated below: 

e LOW load: Packet size = 256 Bytes and Beacon interval = 0.1 s. 


e MEDIUM load: Packet size = 256 Bytes and Beacon interval = 0.01 s. 
e HIGH load: Packet size = 1024 Bytes and Beacon interval = 0.01 s. 


4.2 Comparison with Constant Bitrate Transmissions 


In this section, we compare the performance of the proposed DRCA approach, 
which dynamically adapts the data rate, with using a constant bitrate for dif- 
ferent bitrate values, viz., 3 Mbps, 6 Mbps, 12 Mbps, 18 Mbps, and 24 Mbps. 
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The performance is analyzed based on the total number of BSMs successfully 
received by the vehicles and the average CBR of the network. 


Comparison of Received BSMs 

Figure 1 shows the total amount of packets received with different bitrates (i.e., 
constant bitrates) and the DRCA approach. From the graph, we can see that 
using 3 Mbps performed better in low congestion scenarios and 24 Mbps per- 
formed best for medium to high congestion scenarios, in terms of the total 
amount of packets received. The proposed DRCA achieved the highest received 
BSMs (same as with 3 Mbps) for low load, and was very closed to the best results 
for medium and high loads. The above results indicate the advantages of using 
an adaptive congestion control technique, such as DRCA, since channel load can 
vary widely over time. 


Received BSMs 
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Fig. 1. Comparison of received BSMs with DRCA vs using constant bitrates 


Comparison of CBR Values 

In this section, we are comparing the average CBR the network had when sim- 
ulated with the constant bitrates and the DRCA approach. Figure 2 shows the 
average CBR over the entire duration of the simulation, when using DRCA as 
well as different constant bitrates. It can be seen that DRCA approach was suc- 
cessful in maintaining a lower average CBR, close to the minimum value possible, 
for medium and high loads when compared with the constant bitrates. For low 
channel loads, lowering the CBR is not really necessary so DRCA tries to achieve 
better packet reception (as shown in Fig. 1) at the cost of higher CBR. 
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Fig. 2. Comparison of CBR with DRCA vs using constant bitrates 


4.3 Comparison with Existing Congestion Control Techniques 


The results from the previous section demonstrated the advantages of adapt- 
ing bitrates according to the current congestion in the network. In this section, 
we compare the proposed DRCA approach with 2 other existing data rate con- 
trol approaches: Data Rate- Decentralized Congestion Control(DR-DCC) [31] 
and Transmission Data Rate Control (TDRC) [30]. The proposed DRCA app- 
roach was run with two different high (cbrhigh) and low (cbrlow) thresholds. 
For DRCA1, we set cbrhigh = 0.5 and cbrlow = 0.3, while for DRCA2 we used 
cbrhigh = 0.4 and cbrlow = 0.2. 


Comparison of Received BSMs 

Figure3 compares the total number of BSMs received under different channel 
loads, using DRCA, DR-DCC and TDRC. Under low loads, the performance of 
all 3 approaches were very similar. For medium and high loads, both DRCA1 
and DRCA2 outperformed the other techniques. In particular, DRCA2 was able 
to achieve a significantly higher number of successfully received packets. 


Comparison of CBR Values 

Figure 4 shows the average CBR for the 3 techniques, under different channel 
loads. Under low load, all techniques report very low values of CBR, with TDRC 
having the lowest value. For medium to high loads, both DRCA1 and DRCA2 
were able to significantly reduce the average CBR value compared to the other 
2 approaches. Finally, we note that DRCA2 achieved the lowest overall CBR, 
showing that it can effectively reduce channel congestion, while improving packet 
delivery ratio. 
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Fig. 3. Comparison of received BSMs with DRCA vs existing approaches 
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Conclusion and Future Work 


In this paper, we have proposed and analyzed a new approach for dynamically 
adapting the bitrates used for BSM transmission, based on the level of conges- 
tion in the network. The proposed data rate control algorithm (DRCA) was able 
to significantly improve packet reception and control channel congestion, com- 
pared to both constant bitrates and existing data rate control approaches. For 
future work, we are extending the proposed approach to automatically select 
appropriate threshold values for CBR, based on current traffic conditions. It will 
also be interesting to combine DRCA with power-control techniques to further 
reduce congestion. 
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Abstract. In recent years, Video on Demand (VoD) streaming has increased 
exponentially as a result of reduced streaming costs and higher bandwidth. For 
retention of consumers, it is crucial for content providers to understand the behav- 
ior of their users and continuously improve performance. In this paper, we ana- 
lyze the user behavior on Globo.com, the largest content distribution service in 
Brazil. We consider 1.4 billion logs spanning a period of four weeks from Octo- 
ber 25, 2020 to November 21, 2020. We analyze the user request patterns and 
the trends in server’s response time. We explore metrics such as protocol, status 
code, cache hits, user agent, content category popularity and geographical distri- 
bution of users. We finally investigate the video popularity distribution and trends 
in size of content downloaded. We observe that the highest number of requests 
occur between 8 pm and 11 pm. We observe that 57% of requests are served over 
HTTPS, while significant portion (43%) are still served over HTTP. Our analysis 
also reveals that nearly 97% of requests result in a cache hit. Additionally, we 
observe that the video popularity distribution is skewed and follows a power law 
with 10% of the videos accounting for 87% of the requests. 


1 Introduction 


Video streaming has become extremely popular in recent years and video traffic is 
expected to account for more than 70% of the total Internet traffic in the upcoming 
years [7]. Video on Demand (VoD) streaming services such as Netflix, Amazon, Hulu, 
YouTube and Globo continue to see a huge increase in consumers globally. These con- 
tent providers generate large amounts of revenue via user subscriptions and advertise- 
ments [16], which necessitate good quality of experience for user retention. With the 
advancements in video streaming such as live video streaming, Ultra High Definition 
(UHD) or 4K videos, and Augmented Reality/Virtual Reality (AR/VR) video stream- 
ing, the user expectations for uninterrupted and high quality video service continue to 
increase. 
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To effectively manage the exponentially growing content and consumer population 
as well as to provide high user quality of service while keeping costs to a minimum, it is 
critical to investigate user behavior on a large content distribution service. To this end, 
in this paper, we partner with Globo.com [2], the largest content distribution service in 
Brazil (also ranked Ist in Latin America) to analyze and investigate user behavior on 
its platform. Globo is a Brazilian television network that provides online content via 
Globo.com. According to data released by one of Globo’s directors [1], they witnessed 
an increase of 89% in the number of subscribers to Globoplay, one of the component of 
Globo.com, in 2020 as compared to 2019. They now stream around 100 million hours 
of content every month. The main content categories on Globo.com are news, sports, 
entertainment, technology and food. 

We collect and analyze around 1.4 billion user requests made to Globo.com between 
October 25, 2020 and November 21, 2020 at server side. We begin our analysis by 
studying the user request patterns and the time taken by the server to respond to user 
requests. We then investigate important network-related metrics such as the protocol 
used, status code, cache hits, user agent, content category popularity and geographical 
distribution of users. We conclude our study by examining the video popularity distri- 
bution and the trends in the size of the content downloaded by users. 

Our main findings are summarized as follows: 


— By analyzing the traces, we observe that the highest number of requests to 
Globo.com occur at night between 8 pm and 11 pm and the least number of requests 
occur between 3 am and 8 am. Though expected, this finding is important as it 
informs the content provider how to provision for peak load. We also observe that 
the time needed for the server to serve the requests, is the lowest between 3 am and 
8 am. Interestingly, we observe that the time required to serve requests is not sig- 
nificantly impacted by the peak load when compared to the rest of the day. We also 
observe that the request load is least on Saturday followed by Friday. A possible 
reason is that people socialize more on the weekend with the result that they spend 
less time on the Internet and Globo.com. 

— We investigate the performance impact of different network parameters and interest- 
ingly, observe that though majority of the requests are served over HTTPS, a sizable 
portion of requests are still served over HTTP (43%). For improved security, we 
believe that more requests will transfer over to HTTPS in future. We also observe 
that roughly 95% of HTTP(S) requests are satisfied with 200 OK message. We also 
find that most requests (96.5%) result in cache hit at the server, which indicates that 
the Globo CDNs are caching content effectively. 

— Our analysis also reveals that the most popular web browser and operating systems 
used by the users to watch videos on Globo.com are Chrome and Android, respec- 
tively. We also find that majority of the videos watched are related to movies or web 
series (Globoplay component of Globo.com). Additionally, we observe that 99.93% 
requests to Globo.com occur from Brazil and the majority of the traffic (around 81%) 
is generated from the five states Ceara, Bahia, Pernambuco, Paraíba and Maranhão. 
The request distribution within the country can be attributed to the fact that the CDN 
we collect the data from is located in the northeast of Brazil. 
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— We explore the video popularity distribution on Globo.com and discover that the 
distribution is skewed and follows the power law where top 10% of videos account 
for 87% of the total requests while the remaining 90% videos account for just 13% 
of the requests. A possible reason for this is people share with others when they find 
some videos to be good and once they watch a certain kind of videos, the recommen- 
dation algorithm recommends similar videos to users making less number of content 
more popular [20]. 


Our exploration provides characterization of user activity on Globo.com, and facil- 
itates improving the platform’s service and designing streaming algorithms to enhance 
the user quality of service. 


2 Related Work 


In this section, we discuss the existing literature on user behavior analysis on video 
streaming services. 

Research in [3, 14, 17,18] explores user behavior analysis for live video streaming. 
Two of them analyze the transmission sessions also considering data from Globo.com’s 
server logs. In [18], authors characterize the behavior of mobile users when watch- 
ing large popular live events in Brazil. In [17], the same authors extend the previous 
analysis, using data mining techniques, to extract key factors of popular live streaming 
sessions to understand what factors may impact the quality of the users’ experience 
using mobile devices. [3] analyze QoE and its impact on user engagement for large- 
scale live video streaming. Liu et al. study personalized 360° live video streaming on 
two commercial platforms, YouTube and Facebook in [14]. 

[11-13] focuses on analyzing behavior of mobile users towards VoD consump- 
tion. [12] characterizes the geographical patterns of a large-scale commercial mobile 
VoD system, by measuring uniformity and intensity of geographic interests on videos. 
Authors in [11] analyze users’ behavior, video popularity patterns, impact of the con- 
nection type and the type of mobile device used using data from a mobile VoD sys- 
tem. In [13], authors analyze viewing behavior of users with respect to three factors— 
viewing time, user population, and user locality on PPTV (an Internet video provider in 
China) logs. 

Work in [5,6,8] presents user engagement and performance characterization of 
video streaming services. Authors in [6] analyze the significance of factors such as 
service quality metrics, network quality metrics, video content and viewer demogra- 
phy in determining viewer engagement and propose personalized models for predicting 
individual viewer’s engagement. In [5] authors characterize use watching time distri- 
butions of 1000 most popular videos on PPLive, a commercial Internet VoD system in 
China. Ghasemi et al. present performance characterization of Yahoo’s video streaming 
service in [8]. 

[9,10,15,19] focuses on analyzing the Quality of Experience (QoE) in video 
streams. [10] studies the relationships between Quality of Service (QoS) and QoE in a 
session-based Over-The-Top (OTT) video service through a data-driven machine learn- 
ing approach. Authors explore the use of outlier analysis and clustering as tools for 
interpreting QoE data of an OTT Video Service in [9]. Authors propose a machine 
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learning based approach to monitor QoE metrics for encrypted video traffic and present 
results on YouTube videos in [15]. [19] subjectively assesses QoE during the entire life 
cycle of video sessions. 


3 Data and Problem Statement 


3.1 Data 


In this section, we provide an overview of our VoD streaming dataset obtained from 
Globo.com. Globo is the largest television network in Brazil that also offers content 
over the Internet via its online platform Globo.com [2]. For delivering content to its 
user, the company uses an architecture of multiple Content Delivery Networks (CDNs), 
located at different cities in Brazil, comprising of multiple servers that cache the most 
popular content in order to reduce the latency in serving requests to the end users. In 
this work, we analyze the data collected at one specific CDN, in the northeast of Brazil 
(state of Ceara). This state (and CDN) is strategically located close to submarine cables 
connecting Brazil to North America, Europe and Africa. Besides this CDN, Globo uses 
at least others six CDNs to serve data over the Internet. 
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Fig. 1. Trends in requests sent to Globo.com (hourly and weekly basis) and server’s response time 
(hourly basis) 
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Globo.com architecture also uses NGINX web service solution on its HTTP servers. 
NGINX controls the streaming video service via different HTTP streaming protocols, 
such as HLS, DASH, MSS, Smoothstreaming, among others. Each NGINX records 
user session information in log files and sends it to a central repository. We partner with 
Globo guaranteeing access to us to this data repository. Thus, we collect approximately 
1.4 billion VoD logs from the service for the analysis presented in this work. Logs 
contain information of the video requested by a user and server’s response to it. As the 
log is collected at the server, all our analysis is presented from the server’s perspective. 
The logs span four weeks from October 25, 2020 to November 21, 2020. Each log 
consists of the following fields: 


— Timestamp: It consists of the date and time when the request was served. The date 
is logged in YY YY-MM-DD format and the time is logged in HH-MM-SS format. 

— IP address: It consists of the IP address from where the request was sent. 

— Country Code: It consists of the postal abbreviation code of the country from where 
the request occurred. 

— Status Code: It includes a three-digit numeric code which decides how the user 
agent (defined in the last point) handles the response. 

— Cache Hit/Miss: If the requested content is present in the server’s cache, it is logged 
as a hit. If not, it’s a miss and the content is retrieved from the backend server. 

— Payload: It includes the size of the content in bytes that is returned to the user. 

— Response Time: It consists of time in milliseconds which determines the time 
elapsed between when the user sent the request and when the request was served. It 
comprises the time for either finding the video in the server’s cache or retrieving it 
from the backend server and returning it to the user. 

— Video Identification:This field contains the details of the content requested. It 
includes the video id, video name and the protocol used. 

— Uniform Resource Locator (URL): This field contains the web address of the con- 
tent requested by the user. 

— User-Agent: It includes the information of the software that renders the web con- 
tent to the user. This software agent is usually the web browser, media player or a 
plug in. 


3.2 Problem Statement 


In this paper we adopt a data-driven approach to analyze the underlying patterns in the 
Globo.com dataset to discern key insights related to user trends (e.g., request rate), net- 
work performance metrics (e.g., cache hit rate) and video popularity distributions. Our 
investigation provides a superior understanding of user interactions on Globo.com, a 
unique multi-platform content distribution service and lays the foundation for improv- 
ing the platform’s service and designing streaming algorithms that enhance the user 
quality of service. 
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4 Results 


In this section, we first analyze the users’ request patterns and the server’s response 
to them. We then investigate important metrics such as protocol, status code, cache 
hits, user agent, category popularity and the geographical distribution of users. We then 
evaluate the video popularity distribution and the trends in the content size returned to 
the users. 


4.1 Trends in User Requests 


We study the trends in the requests occurring at the server on an hourly and weekly 
basis. Figure la shows the total number of requests occurring at a particular hour of 
the day during the month. Here, 0 denotes 12 am and 23 denotes 11 pm. We observe 
that highest number of requests occur at night between 8 pm and 11 pm, after which 
the number of users accessing the service starts decreasing and the number of requests 
experience a dip early morning between 3 am and 8 am. This trend is quite natural 
and corresponds to sleeping patterns of humans. Figure 1b shows the total number of 
requests occurring at a specific day of the week during the month. We see that highest 
requests occur on Monday whereas the lowest number of requests occur on Saturday 
followed by Friday. This is because people prefer spending their weekend nights, in 
particular Friday night and Saturday night, going out rather than staying at home and 
watching TV. Analyzing user request patterns is important as it informs the content 
provider how to provision for peak load. 


4.2 Trends in Response Time 


Response time is the elapsed time between the user requesting a content and the request 
getting served. It also includes the time taken by the server to search the content in its 
cache and if not found, fetch it from the back end server. Response time is an important 
metric to analyze in web surfing and video streaming as low response times, especially 
while video streaming, could ruin the user experience. Investigating response time is 
important to improve user engagement and attract more users to use the service. As 
around 97% requests result in a cache hit at the server (see Sect. 4.3), Fig. 1c shows the 
average response time of these requests on an hourly basis. We observe that the aver- 
age time needed to return contents to the users is between 100 ms and 220 ms. We also 
observe that the average response time is the lowest between 3 am and 8 am. The reason 
behind this is as we observed in the previous section (Fig. la), the server experiences a 
low number of requests early morning enabling it to serve the requests faster. Interest- 
ingly, we observe that the time required to serve requests is not significantly impacted 
by the peak load when compared to the rest of the day. 


4.3 Key Metrics 


Protocol. VoD services deliver videos to clients over Hypertext Transfer Protocol 
(HTTP). Hypertext Transfer Protocol Secure (HTTPS) is an extension of HTTP where 
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Fig. 3. Web browser/media layer, operating system and content category popularity pie charts 


the communication protocol is encrypted using Transport Layer Security (TLS). This 
provides confidentiality, i.e., no one on the network is aware of what the user is watch- 
ing, and integrity, i.e., no one can alter the video stream. We investigate the protocol 
used to send requests. Figure 3b shows the percentage of HTTP and HTTPS requests. 
Interestingly, we observe that around 57% requests are sent over HTTPS whereas a 
significant percentage of users (43%) still stream videos over HTTP. 


Status Code. The first line of the HTTP response, called the status line, includes a 
numeric status code and a textual reason phrase. The way content is retrieved and ren- 
dered on web page depends mainly on the status code and thus is an important metric 
to analyze. Figure 3c shows the percentage of different status codes returned for all the 
requests. We observe that 94.8% requests are successful and have the status code 200 
OK, 4.8% requests are returned only part of the requested resource as they have the 
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status code 206 Partial Content, while remaining 0.4% requests have 4XX and 5XX 
class status codes which indicate errors occurring at client and server respectively. 


Cache Hits/Misses. If the content requested by the user is present in the server cache, 
it is denoted as a hit. Else, it is a miss and the content needs to be retrieved from the 
backend server. To reduce the total delay experienced by users getting their requests 
served, it is important that majority requests incur a cache hit at the server. Figure 3a 
shows the percentage of requests incurring a hit or a miss. We see that 96.5% requests 
result in a hit whereas just 3.5% result in a miss, which demonstrates that the Globo 
CDN is able to effectively serve user requests. Further investigation into the 3.5% miss 
requests can help them understand the reason behind a miss and design approaches to 
transform such requests into hits. 


User Agent. A user agent is a software that retrieves and renders web content to the 
end users. The user-agent string in the HTTP request header enables to identify web 
browsers and media players which act as the user agents for the clients. This infor- 
mation is crucial to the video streaming platforms to provide quality service. From 
the total logs considered, 31.5% of the requests do not contain information about the 
user agent. We analyze the remaining 68.5% logs to obtain the most widely used 
web browser/media player to watch videos and the operating system on which the 
browser/player runs. Figure 3a shows the most popular web browsers/media players. We 
observe that about 31% requests occur from Chrome browser, followed by 28% requests 
from the default browser on Samsung devices and around 18% requests from Dash- 
player. Other browsers and media players such as Globoplay App, Safari, Microsoft 
Edge, Opera, etc. constitute comparatively smaller percentage of requests. Figure 3b 
shows the percentage of requests from different operating systems (OS). We see that 
Android is the most popular OS with 49% requests, followed by Windows, Linux, 
WebOS, iOS, Roku TV OS and FreeBSD, respectively. Other operating systems have 
minimal requests. This denotes that the majority of the consumers are mobile users. 


Category Popularity. Globo.com offers content in mostly seven different categories— 
gl (journalism), ge (sports), gshow (entertainment), globoplay (TV, web series, and 
movies), tech (technology), cartola fc (soccer), and receitas (recipes). In this subsection, 
we identify which categories on Globo.com are most popular. About 50% of the logs do 
not contain valid content category information. Thus, we only consider the remaining 
50% logs to determine category popularity. Figure 3c shows the pie chart for percentage 
of requests received for different content categories. We observe that globoplay (TV, web 
series, and movies) is the most popular among users as it incurs the highest percentage 
of requests, followed by globoesporte (sports), g1 (news), and gshow (entertainment), 
respectively. Rest of the content receives only around 1.2% of the total requests. 


Geographical Distribution of Users. Prior research shows that the geographic loca- 
tion of users, especially mobile users, has a significant impact on video popularity [12]. 
Investigating the geographical distribution enables content providers to better under- 
stand regional popularity and plan their service accordingly. We learn from our data 
that 99.93% requests to Globo.com come from Brazil and the remaining 0.07% come 
from the rest of the world. Figure 4 shows the distribution of user requests in different 
states of Brazil. As mentioned in Sect. 3, we collect data from the CDN from the state 
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Fig. 4. Map of Brazil showing distribution of requests. The five states Ceara, Bahia, Pernambuco, 
Paraíba and Maranhão contribute majority of the traffic. 


of Ceara located in the northeast of Brazil. Therefore, it is understandable that the top 
five states contributing majority traffic to Globo.com in our dataset are Ceara, Bahia, 
Pernambuco, Paraiba and Maranhão with 41%, 13%, 11%, 7.6% and 7.6% requests, 
respectively as user requests are generally routed to the geographically closest located 
CDN. The remaining states contribute significantly less amount of traffic. 
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4.4 Discussion on Video Popularity Distribution and Content Download Size 


We investigate the video popularity distribution on Globo.com. Figure 5 shows the com- 
plementary cumulative distribution function (CCDF) of the video requests. We observe 
from the data that top 10% videos account for 87% of total requests. The content popu- 
larity distribution is skewed and follows the power law. Existing research also indicates 
that power law is widely prevalent in the real world content popularity distribution [4]. 
Globo.com can leverage these top 10% videos by caching them closer to the end user 
to reduce latency. Our analysis can also be used to optimize their caching policies and 
improve the deployment of CDNs. Video popularity also has an important role in video 
recommendation [20] and therefore, our analysis lays the groundwork to design smarter 
recommendation algorithms based on the knowledge of popularity changes. 

We next analyze the size of the content downloaded from the server. We investigate 
the total bytes downloaded per video as well as the average bytes downloaded per video 
considering all user sessions. We obtain a user session as follows—we get the first and 
the last request received for a video and the user session is the time interval between 
them. We have two assumptions while considering a user session—1) if two consecutive 
requests for a video do not occur within a five minute span, we treat them as different 
sessions. ii) a session cannot be longer than three hours. Both these assumptions are 
valid because the data that we are investigating is only for VoD and not for live stream 
videos. So, if a request for the next chunk for the same video does not occur within five 
minutes, it is highly likely that a user has stopped watching the video. Also, majority of 
the movies or documentaries are less than three hours. We consider all the sessions for 
every video requested and get an average of the data (in bytes) returned by the server. 
Figure 5b shows the average data downloaded for all the videos. We observe that the 
average size of the data returned for the top 9% videos is greater than 100 MB and up 
to 1.8 GB. The average size of the content downloaded for all other videos is less than 
100 MB. 

Figure 5c shows the complementary cumulative distribution function (CCDF) of 
total number of requests, average bytes and total bytes downloaded per video. We 
observe that the popularity of the video is correlated to the total bytes downloaded 
for that video, i.e., videos with higher number of requests have higher number of total 
bytes downloaded. When we obtain average bytes downloaded considering different 
user sessions, this does not hold true since the user sessions vary for every video. 


5 Conclusion 


In this paper, we analyzed users’ behavior on Globo.com, the largest content distribution 
service in Brazil. We considered user requests made to Globo.com over a period of 
four weeks and investigated the user request patterns and trends in the server’s response 
times. We examined metrics such as protocol, status code, cache hits/misses, user agent, 
content category popularity and geographical distribution of users. We finally studied 
the video popularity distribution and size of content downloaded. The findings from this 
paper can be used by Globo.com to make their service more efficient. 
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Abstract. Fundamental to achieving cooperative awareness amongst vehicles is 
the periodic dissemination of beacons. However, ensuring the secure dissemina- 
tion of these beacons has over the years become an issue of importance as these 
beacons often than not contain some level of safety-critical information which are 
susceptible to attack. Consequently, researchers have proposed in the literature 
the use of digital certificates issued by a trusted authority as means of ensuring 
beacon authenticity and the use of a digital signature as a means of ensuring bea- 
con integrity. Nonetheless, this security method is characterized by an increase 
in communication overhead caused by the increase in the beacon payload size. 
To address this issue, some researchers have in recent years proposed approaches 
like the Neighbor-based Certificate Omission (NbCO) and Transmission Power- 
control Certificate Omission (TPCO) strategy that uses a certificate omission tech- 
nique to control channel congestion. Upon evaluation, these strategies have proved 
to be promising as they focus on tuning the beacon payload size which has a direct 
impact on the communication channel load and hence reducing channel conges- 
tion. Despite the benefits of these strategies, they face the general issue of how to 
maintain a steady and minimized number of Cryptographic Packet Loss (CPL) and 
Network Packet Loss (NPL) even as the traffic congestion situation in a vehicular 
environment increases (i.e.: CPL are beacons dropped because they are unverifi- 
able due to the absence of a corresponding certificate and NPL are the beacons 
dropped over the network due to congestion). 

Therefore, we propose in this work an Artificial Intelligence-based Trans- 
mission Power-Control Certificate Omission (AI-TPCO) scheme which allows 
vehicles to demonstrate an efficient control over communication channel load by 
intelligently tuning their transmission power using fuzzy logic and also reactively 
adapting their beacon size using NbCO strategy. Our obtained simulation results 
prove that our proposed AI-TPCO scheme is able to attain a steady and minimized 
number of CPL and NPL even as the traffic congestion situation in a vehicular 
environment increases and as such maximizing cooperative awareness amongst 
vehicles. 
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1 Introduction 


In the early 1800s, the world of mobility observed a paradigm shift which was termed 
as the “Horseless carriage” [1] and this paradigm shift spearheaded the transitioning 
of mobility by animals (horses) to mobility by vehicles. Many years on, vehicles have 
become a significant part of our everyday life and as such, the number of vehicles on our 
roads has increased significantly. According to the US Car Ownership Statistics report 
in 2021 [2], about 91.3% of households in the US is reported to own at least one vehicle. 
Hence, as the rate of vehicle ownership in our world today increases at a study pace, the 
issue of road accidents and traffic congestion has become even more alarming. To curb 
these issues, the world is currently observing another paradigm shift in mobility called 
“Autonomous Vehicles” [3] which will be steered by some technologies like Vehicle to 
Vehicle (V2V) communication. 

V2V communication is characterized by the periodic broadcast of beacons among 
vehicles on the road to enable them to take proactive safety decisions like slowing down 
in time when approaching a construction site or an accident scene. Often than not, these 
periodic beacons contain some level of safety critical information which requires that 
we authenticate the message itself as well as its source. And to do so, some researchers 
have proposed the use of a digital certificate issued by a trusted certificate authority. 

Despite the benefits of the proposed security mechanism, it raises the issue of high 
communication overhead as it causes the size of the beacon payload to increase by 
over 200 bytes [5] and consequently leading to a congestion in the communication 
channel when vehicle density is high. To combat this issue, researchers have proposed 
in the literature several congestion control algorithms. Peculiar to our interest in this 
work is the beacon size control strategies (certificate omission schemes) proposed in the 
literature [6-9]. The general idea of these certificate omission schemes is to adapt the 
beacon payload size whenever the communication channel is observed to be congested 
by omitting the digital certificate attached to the beacons. However, these strategies are 
faced with the issue of how to significantly minimize and maintain a steady packet loss 
(NPL and CPL) even as traffic congestion in the vehicular environment increases. 

In this paper, we tackle the aforementioned issue by proposing an Artifi- 
cial Intelligence-based Transmission Power-Control Certificate Omission (AI-TPCO) 
scheme which is a Beacon Size Control (BSC) strategy supplemented with an intelligent 
Transmission Power Control (TPC) strategy. In this work, we perform an intelligent 
adaptation of vehicle transmission power by using an Artificial Intelligence (AI) algo- 
rithm like fuzzy logic and an NbCO [7] strategy to tune beacon size in order to effectively 
control channel congestion. 

The structure of the paper is as follows: Sect. 2 presents a literature review of some 
closely related works. Section 3 covers a detailed explanation of the features and working 
procedure of our proposed AI-TPCO scheme. Section 4 covers the simulation configura- 
tion and implementation. Section 5 presents the performance evaluation of our proposed 
AI-TPCO scheme against the Periodic Omission of Certificates (POoC) and NbCO 
schemes. Section 6 covers the conclusion of this work. 
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2 Related Work 


In this section, we review some closely related works. 


2.1 Certificate Omission Schemes 


Periodic Omission of Certificates (POoC); as the name implies, a POoC [6] strategy 
operates by attaching a certificate to beacons only on periodic bases. Thus, if a vehicle 
is expected to send ‘n’ number of beacons within a second, the POoC strategy will 
require that a certificate affixed to only the ‘nth’ beacon and omit the certificate from the 
remaining ‘n-1’ beacons it broadcast. Upon evaluation, the performance of this scheme 
is noticed to be context dependent as CPL increases under situations where vehicle 
mobility is high and beacon transmission frequency is low and as such compromising 
vehicle cooperative awareness. 

Neighbor-based Certificate Omission (NbCO); in VANETs, vehicles are made aware 
of other neighboring vehicles through the reception of periodic beacons. And a vehi- 
cle upon identifying a new neighbor, records the details of this new neighbor into a 
neighboring table for reference purposes. Employing the neighboring table concept, the 
NbCO [7] strategy controls channel congestion by attaching a certificate to a beacon 
only when it observes an update in its neighboring table. Upon evaluation, the scheme 
produced promising results as it was able to reduce packet loss. However, its perfor- 
mance was also demonstrated to be context-dependent as it reduced NPL significantly 
only in situations where vehicle mobility is low and also reduced CPL significantly only 
in circumstances where vehicles mobility is high. From this, we observe that the NbCO 
strategy is unable to attain a fair balance between CPL and NPL as its performance 
conditions are contradictory. 

Congestion-based Certificate Omission (CbCO); the Congestion-based Certificate 
Omission (CbCO) scheme was proposed by [8] to control channel congestion based 
on the observed Channel Busy Ratio (CBR). As such, the CbCO scheme upon sensing 
the communication to be free attaches a certificate to all beacons transmitted so as to 
reduce CPL and when it senses the communication channel to be congested, it omits 
certificates from subsequent beacons in an aggressive manner by using a POoC strategy. 
Upon evaluation, the CbCO scheme proved promising as it was able to reduce the total 
number of packets that were lost (NPL + CPL) within the simulation time. However, 
when we consider the individual packets that were lost (NPL and CPL) we observe that 
its performance is no better than previously proposed schemes. 

Transmission Power-control Certificate Omission (TPCO); a TPCO strategy was 
proposed by [9] to maximize cooperative awareness amongst vehicles by minimizing 
CPL and NPL. The scheme merged the NbCO strategy and a Distributed Transmission 
Power Control (D-TPC) strategy to efficiently manage channel congestion. And as such, 
the NbCO strategy was used as a proactive means of preventing channel congestion 
whereas the D-TPC strategy was used as a reactive means to help vehicles cooperatively 
reduce channel congestion upon receiving a distress signal. Although this scheme was 
able to significantly reduce the number of incurred NPL through its reactive congestion 
control strategy, it was unable to significantly reduce the number of incurred CPL when 
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evaluated against the NbCO strategy since the performance margin between them can 
be considered negligible. 

We consider it worth mentioning that to the best of our knowledge, these were the 
only works we found in the literature regarding certificate omission strategies. 


2.2 Transmission Power Control (TPC) Schemes 


As discussed in previous sections, researchers have proposed in the literature many 
congestion control approaches, an example being the TPC approach. Generally, this 
kind of approach controls channel congestion by tuning vehicle transmission power 
in situations where the contention for channel acquisition is high. 

A Distributed Fair Power Adjustments for Vehicular environment (D-FPAV) was 
suggested in the work [10] to maintain the load of the communication channel beneath 
a predefined value to avoid packet collision in situations where vehicle density is high. 
In so doing, the transmission power of vehicles is dynamically adjusted upon receiving 
information on the status of its neighbouring vehicles indicating that the channel load 
is high. Chang et al. [11] in their work proposed a D-TPC approach to manage channel 
congestion, without sacrificing cooperative awareness among vehicles. In his approach, 
vehicles within communication range cooperatively adjust their transmission power upon 
sensing the channel to be congested or receiving a distress signal from neighbouring 
vehicles. In [12] the author proposed a Vehicle Density-Based Power Control (VDBPC) 
strategy that takes in to account the density state of vehicles in the network. In this work, 
vehicle density was classified into three states (sparse, moderate and dense) and based 
on the estimated density state, a vehicle adjusts its transmission within the range of 
high, medium and low transmission power respectively. However, this strategy may be 
considered as inefficient as the density of vehicles based on which transmission power 
is adjusted is randomly assumed. 


3 AI-Based Transmission Power-Control Certificate Omission 
Scheme 


In this work, we propose an AI-TPCO scheme to address the aforementioned drawbacks 
of previously proposed certificate omission schemes. As such, our proposed scheme 
aims at attaining a well-balanced and minimized number of packet loss (CPL and NPL) 
even as the traffic congestion situation increases in a vehicular environment and conse- 
quently maximizing the level of cooperative awareness attained amongst vehicles. To 
demonstrate an efficient control over channel load, we designed our AI-TPCO scheme 
to intelligently tune beacon transmission power using fuzzy logic and reactively adapt 
beacon size using an NbCO scheme. We also proposed as part of our transmission power 
control approach, a cooperative adaptation of beacon transmission power to enable the 
fast convergence of channel load to a reasonable value that is below the predefined chan- 
nel load threshold. In this section, we will discuss in detail how our proposed scheme 
works. 
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3.1 Beacon Size Control (BSC) Approach 


As was elaborated in previous sections, the security mechanism adopted in the state-of- 
the-art for secured beaconing significantly increases the beacon payload size which in 
turn induces an increase in channel load when vehicle density is high. For this reason, 
we propose that beacon payload size is reactively adapted through the adoption of an 
NbCO strategy which is triggered based on the estimated channel load. Thus, when a 
vehicle estimates the channel load to be high, it aggressively adapts its beacon size by 
attaching a certificate to beacons only upon observing an update in its neighboring table 
(i.e.: a new neighbor is found). On the other hand, if the vehicle observes the channel 
load as low, it will switch to a No omission strategy where it attaches a certificate to 
every beacon it broadcasts. This will as a result prevent the occurrence of CPL when 
the communication channel is free whereas the NbCO strategy will significantly reduce 
NPL when the communication channel load is high. In this work, the NbCO strategy is 
invoked when the channel is observed to be in a Restrictive state and the No Omission 
strategy is invoked when otherwise. 


Estimated_CL = N x (beacon_rate * Miength) (1) 


We measured the load of the communication channel using the formula in Eq. (1), 
with Estimated_CL representing a vehicles estimation of the current load of the commu- 
nication channel, N representing the total number of neighboring vehicles, beacon_rate 
representing the total number of beacons a vehicle transmits per second and Miength 
representing the size of the beacon payload. We define in Table | the pseudo-code for 
our proposed beacon size control approach. 


Table 1. Beacon size control approach (certificate omission strategy) 


Data: Estimated channel load 


Output: | Beacon size control 


1: If Estimated_CL < 40% then 

2: Attach certificate to all beacons (No Omission strategy) 
3: Wait time ‘AT’ 

4: Else 

5: If New_neighbor == True then 

6 Attach a certificate to the next beacon 

7: Wait time ‘AT’ 

8: Else 

9: Omit certificate from beacons 

10: Wait time ‘AT’ 


11: endif 


178 E. C. Dapaah et al. 


3.2 Transmission Power Control Approach 


As a reactive beacon size control approach is generally not efficient enough to combat 
congestion, we also suggest the proactive and reactive adaptation of beacon transmission 
power to minimize channel congestion probability which will, in turn, have a positive 
impact on the number of incurred NPL and CPL. In so doing, we employed the use of 
fuzzy logic as a decision-making system to enable vehicles adapt transmission power 
independently and cooperatively. In this section, we will discuss in more detail how our 
modelled fuzzy logic decision-making system functions. 


Independent Adaptation of Transmission Power 

In our proposed scheme, we modelled a Single Input, Single Output (SISO) fuzzy logic 
system which accepts a single crisp value as input and produces a single crisp value 
as an output. A fuzzy logic decision-making system is divided in to various stages 
and the first of these stages is the initialization stage where we initialize our input 
and output parameters with their corresponding linguistic variables and membership 
functions. In this work, we chose estimated channel load as our input parameter and 
beacon transmission power as our output parameter. The terms Relaxed, Active and 
Restrictive are defined as our input linguistic variables and we defined the range for our 
input variable in accordance to [13] as illustrated in Table 2. Also, the terms Low, Medium 
and High are defined as our output linguistic variables (ranging from 0 to 20 mW). 
Figure | and Fig. 2 illustrates our input and output membership functions respectively. 
The remaining stages of our fuzzy logic decision making system is elaborated below: 


Table 2. Mapping of channel state to channel load threshold 


State Estimated channel load 
Relaxed <15% 

Active 15% to 40% 
Restrictive >40% 


Factors Calculation: Generally, an estimation of channel load is the measure of the 
amount of load occupying the communication channel at any given point in time and as 
such, it is an efficient means of detecting the congestion probability of the communication 
channel. Hence, we considered the estimation of channel load as our crisp input. We 
used Eq. (1) as our channel load estimation formula. Also, in measuring the degree of 
membership to a linguistic variable from the membership functions, we used both the 
triangular and trapezoidal membership functions [14]. 

Fuzzification: at this stage, the input value (crisp value) is converted into a fuzzy 
input set using the corresponding membership function. Hence, each vehicle uses the 
input membership function (as defined in Fig. 1) to calculate the degree to which their 
estimated channel load belongs to the input linguistic variables (Relaxed, Active or 
Restrictive). This membership degree then becomes our fuzzy input set. 
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Fig. 1. Membership function for fuzzy logic input parameter (Estimated Channel Load) 
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Fig. 2. Membership function for fuzzy logic output parameter (Transmission Power) 


Table 3. Fuzzy rule base 


Estimated channel | Transmission power 
load 

Rule 1 | Relaxed High 

Rule 2 | Active Medium 

Rule 3__| Restrictive Low 


Fuzzy Interference Engine: constitutes a list of IF/THEN rules (as specified in Table 
3) which forms the decision making brain of the fuzzy system. Here, each vehicle uses 
the fuzzy rule base to determine to which of the output linguistic variable its fuzzy input 
value belongs and its corresponding membership degree. As such, a fuzzy output set is 
generated using the Mamdani fuzzy interference method [15]. 
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Defuzzification: in the defuzzification stage, a crisp output value is generated using 
the membership function defined for the output parameter (depicted in Fig. 2) and a cor- 
responding degree of membership of the fuzzy output set. In this thesis, we employed the 
Mean Of Maxima (MOM) method [16] to defuzzify the fuzzy output set. The generated 
crisp output value then serves as the beacon transmission power of a vehicle. 


Cooperative Adaptation of Transmission Power 

In addition to the independent adaptation of transmission power by vehicles, we also 
propose the cooperative adaptation of transmission power (using same fuzzy logic sys- 
tem) upon a vehicle receiving a distress signal from a neighboring vehicle. Thus, when 
a vehicle estimates its channel load to be high, it generates a distress signal (containing 
information of the observed channel state) and also piggybacks in to it, its observed 
number of neighboring vehicles. The distress signal is then broadcast to all neighbor- 
ing vehicles as a means of informing them of its current state and also soliciting their 
cooperative support. Therefore, if a vehicle should receive a distress signal, it extracts 
the piggybacked information (number of neighboring vehicles) and using this infor- 
mation, it estimates the corresponding channel load. Upon estimating the channel load 
(generated from the piggybacked information), the value is fed into the fuzzy system 
as input to generate the appropriate transmission power with which it can cooperatively 
assist in relieving the observed channel condition. Hence, allowing for the effective con- 
trol of channel load to maximize cooperative awareness amongst the vehicles. Table 4 
and Table 5 illustrates the pseudocodes for our proposed transmission power control 
approach (independent and cooperative transmission power adaptation). 


Table 4. Algorithm I: Transmission power control strategy (sending vehicle) 


Data: beacon_rate, Miengin and N 

Output: Change in channel state, adapted transmission power 
1: Estimate channel load (N = observed no. of neighbors) 
2: If Estimated_CL > 15% then 

3 Set channel state = Active or Restrictive 

4: Broadcast ‘Distress signal’ 

5 Generate transmission power (using fuzzy logic) 

6 Wait time ‘AT’ 


T: Else 


Set channel state = Relaxed 


: Generate transmission power (using fuzzy logic) 
10: Wait time ‘AT’ 
11: endIf 
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Table 5. Algorithm II: Transmission power control strategy (receiving vehicle) 
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Data: Distress signal, beacon_rate and Miength 

Output: Adapted transmission power 

1: If Distress signal == True then 

2 Estimate channel load (N = no. of neighbors piggybacked in distress signal) 
3: Generate corresponding transmission power (using fuzzy logic) 

4: Wait time ‘AT’ 

SH Else 

6: Go to Algorithm I 

7: endlf 


4 Simulation Configuration and Implementation 


As our network simulator, we employed the use of OMNET++ which is an object- 
oriented modular discrete event network simulation framework that enables the 
modelling of communication in both wired and wireless networks. 

As traffic simulator, we use SUMO is a portable open-source road traffic simulation 
software that was designed by the Institute of Transportation at the German Aerospace 
centre to support the simulation of large road networks. In this work, we used SUMO to 
generate two traffic scenarios. First of which is a 4-way signalized junction as illustrated 
in Fig. 3 and we imported a real roadmap of Erlangen from Open Street Map as our 
second traffic scenario as illustrated in Fig. 4. To achieve a dense traffic condition to test 
the robustness of our proposed scheme, we simulated the communication between 100 
to 400 vehicles in each traffic scenario. 


Fig. 3. A 4-way signalized junction 
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Fig. 4. Erlangen map 


Also, we employed the Veins simulation framework which is an open-source 
VANETs simulation program used to simulate Inter-Vehicular Communication (IVC) 
by running in parallel the OMNET++ simulator and SUMO simulator. In this work, we 
extended the Application layer of the Veins framework to model our certificate omission 
strategy and we also extended the MAC layer of the Veins framework to implement our 
fuzzy logic based transmission power control strategy. 

In Table 6, we present a summary of the network and traffic parameter configura- 
tions of our simulation and it is worth mentioning that some of these parameters were 
configured in conformity with the work of Schoch et al. in [8]. 


Table 6. Overview of simulation parameters 


Parameter Value Source location 
Number of vehicles 100, 200, 300, 400 vehicles * rou.xml 
Field size 90 km x 40 km Omnetpp.ini 
Beacon frequency 10 Hz Omnetpp.ini 
Payload size 50 Bytes Omnetpp.ini 
ECC key type Nistp256, compressed Omnetpp.ini 
Certificate size 125 Bytes Omnetpp.ini 
Signature size 56 Bytes Omnetpp.ini 
MAC 802.11p, 3 Mbit/s Omnetpp.ini 
Max transmission power 20 mW Omnetpp.ini 
Simulation time (sec) 150, 250, 350, 450 s Omnetpp.ini 
Simulation runs 10 Omnetpp.ini 
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5 Performance Evaluation 


In evaluating our proposed AI-TPCO schemes, we performed a comparison between our 
obtained simulation results and the results obtained from the NbCO and POoC schemes 
which we considered as the baseline for our comparison. Below are the evaluation metrics 
we used in our comparison: 


e Percentage of CPL: this criterion shows the percentage of CPL incurred during the 
simulation time. Thereby giving a clear indication of the level of cooperative awareness 
achieved. 

e Percentage of NPL: this metric measures the percentage of NPL incurred during the 
entire simulation time and as such gives us an estimate of the network performance. 
As well as the level of cooperative awareness achieved. 


Figure 5 and Fig. 6 show the evaluation results in the 4-way signalized junction 
scenario, whereas Fig. 7 and Fig. 8 show the evaluation results in the Erlangen map 
scenario. 

From Fig. 5, we noticed that when the vehicle population is 100, the POoC, NbCO and 
AI-TPCO schemes incurred an NPL percentage of 16.06, 8.28 and 12.26 respectively. 
Here, we observe that our AI-TPCO scheme performed slightly poor as it incurred 3.98 
of NPL more than the NbCO strategy. This we believe is a result of the No Omission 
strategy we perform when channel load is observed to be below a defined threshold. 
However, as the number of vehicles begins to increase from 100 to 400, the simulation 
results show that our AI-TPCO strategy outperforms both the POoC and NbCO strategies. 
When the number of vehicles is 400, we see that our AI-TPCO scheme incurs an NPL 
percentage of 19.49 which is approximately two times lower than that of the NbCO 
scheme and approximately three times lower than that of the POoC scheme. Implying 
that our AI-TPCO scheme can reduce NPL drastically even as channel load or vehicle 
population increases. We, therefore, attribute this efficient channel control performance 
demonstrated by our AI-TPCO scheme to the proactive and reactive strategies we adopted 
in our scheme. 


4-way Signalized Junction 
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Fig. 5. Percentage of NPL (4-way signalized junction) 
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Figure 6, depicts the variations in CPL with vehicle population for each congestion 
control strategy. We compared the percentage of CPL incurred in POoC, NbCO and 
AI-TPCO schemes as we gradually increase the vehicle population from 100 to 400. 
The simulation results prove that our proposed AI-TPCO scheme is more efficient at 
decreasing CPL as it recorded a CPL percentage of 1.85, 2.74, 2.72 and 2.67 (as vehicles 
increases from 100 to 400 respectively) which is approximately three times lower than 
that of POoC and NbCO. Hence, making our AI-TPCO scheme the first certificate 
omission scheme to significantly outperform the NbCO scheme at reducing CPL. 

However, when vehicle population is 200 we observe that our proposed AI-TPCO 
scheme and the POoC scheme incurred its highest CPL and this is because of the indi- 
rect impact NPL has on CPL. Thus, depending on the kind of beacon (with certificate 
or without certificate) that is dropped during a NPL, there may be an effect on CPL. 
Hence, we deduce that majority of the beacons that were dropped in NPL when vehicle 
population is 200 were possibly beacons with certificates attached and as such affecting 
the incurred number of CPL in these schemes when vehicle population is 200. 
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Fig. 6. Percentage of CPL (4-way signalized junction) 


In the Erlangen scenario, our proposed AI-TPCO strategy is evaluated using the 
same evaluation metrics as was used in the highway scenario. Figure 7 and Fig. 8 
illustrates the results obtained from this scenario. From Fig. 7, we observe that as the 
vehicle population increases, the percentage of NPL continues to increase across all the 
omission strategies under study. For instance, using POoC, NbCO and AI-TPCO, the 
percentage of NPL are 22.63, 23.45 and 9.59 respectively when the population of the 
vehicles is 200. And 49.76, 37.08 and 11.99 respectively when the population of vehicles 
is 300. From the given example, the difference between the two results is 27.13, 13.63 
and 2.4 respectively. With this difference, we deduce that our proposed scheme better 
improves network performance as it can suppress NPL significantly even as the vehicle 
population increases. 

When vehicle population is 300 we observe that all the schemes incurred their highest 
NPL and this we attribute to the random assignment of routes to vehicles. Thus, in our 
simulation routes were randomly assigned to the vehicles on the map and as such, the 
routes vehicles take when their population is 100 is different from the routes the vehicles 
will take on the same map when their population is 200. Hence, we deduced that due 
to this random assignment of routes, vehicles experienced higher clustering when their 
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population was 300 which consequently increased traffic congestion and as a resulting 
affecting the number of NPL incurred. 
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Fig. 7. Percentage of NPL (Erlangen Map) 
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The results in Fig. 8 show that our AI-TPCO scheme was able to outperform the POoC 
and NbCO schemes significantly by a performance margin of 4.83 and 3.35 respectively 
when the vehicle population is 100. And this performance margin is seen to be maintained 
even as the vehicle population increases from 100 to 400. Hence, comparing the results 
obtained from the 4-way signalized junction and the Erlangen map scenarios, it is clear 
that our proposed scheme is consistent at maintaining its performance (of decreasing 
CPL) regardless of the traffic scenario underuse. Once again, when vehicle population is 
300 we observe that the POoC scheme and the NbCO scheme incurred its highest CPL 
and as we previously explained, we attribute this to the indirect impact NPL has on CPL. 
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Comparing results obtained from both traffic scenarios (4-way signalized junction 
and Erlangen map) we can conclude that our proposed AI-TPCO scheme significantly 
outperforms the other strategies as it is able to demonstrate effective control over the 
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communication channel even as the vehicle population increases. Thereby maximizing 
cooperative awareness amongst vehicles. 


6 Conclusion 


In this paper, we addressed the drawbacks of existing certificate omission strategies and 
as such we investigated how to significantly decrease CPL and NPL incurred. And we did 
this with the ultimate aim of maximizing cooperative awareness amongst vehicles even 
as traffic congestion increases in the vehicular environment. In so doing, we proposed 
an AI-TPCO scheme that combines the strengths of both a TPC and BSC strategy to 
effectively control channel congestion in VANETs. To detect congestion, the proposed 
scheme estimates channel load and uses the TPC and BSC strategy to respectively 
control channel congestion proactively and reactively. The TPC approach of our proposed 
scheme controls congestion by tuning the transmission power of vehicles independently 
or cooperatively using fuzzy logic, whereas the BSC approach of our scheme controls 
congestion by tuning the beacon size using a No omission or NbCO strategy. 

The obtained simulation results justify our claims that the proposed AI-TPCO scheme 
can incur a significantly low and balanced number of NPL and CPL even as the traffic 
congestion increases. Thereby justifying consequently that the scheme can maximize 
cooperative awareness amongst vehicles and also exhibit an effective mastery over the 
communication channel in both traffic scenarios used. 

In conclusion, we have demonstrated through our work that when a beacon size 
control strategy is supplemented with an intelligent transmission power control strategy, 
the strategy gains mastery over the communication channel and as such maximizes 
vehicle cooperative awareness. 
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Abstract. Smart grid networks offer two-way communication between the smart 
meters and the utility service providers (USPs). This enables the USPs to analyze 
real-time data emanating from the consumers and offer dynamic adjustments to 
the power generation and transmission. However, the periodical transmission of 
consumption reports from the smart meters towards the USPs over public channels 
exposes the exchanged messages to attacks such as eavesdropping, modification 
and bogus injections. Consequently, the power adjustments executed may not be 
occasioned by consumer requirements but by malicious entities within the smart 
grid network. To curb this, numerous schemes have been presented in literature. 
However, majority of these protocols are either susceptible to attacks or are inef- 
ficient. In this paper, a dynamic ephemeral and session key generation protocol 
is presented. The security analysis shows that if offers entity anonymity, mutual 
authentication, forward key secrecy and untraceability. In addition, it is shown 
to be resilient against typical smart grid attacks such as offline password guess- 
ing, denial of service (DoS), packet replays, privileged insider, man-in-the-middle 
(MitM), impersonation and physical capture. In terms of performance, it has the 
least execution times and bandwidth requirements among other related protocols. 
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1 Introduction 


The Smart Grid (SG) is envisioned as the next-generation intelligent network that intro- 
duces efficiency in the delivery, management and integration of renewable and green 
energy technologies [1]. The SG basically provides a two-way information and energy 
exchange between the smart meter (SM) and the utility service provider (USP) [2]. A 
typical SG consists of control centers, communication modules and smart devices such as 
smart meters. In the SG networks, the SMs monitor power consumptions and stability of 
the supplied power [3]. In essence, the SM utilizes the two-way communication channel 
between the consumer and the USP to manage, exchange and control energy delivery and 
consumption at the customer premises [4]. Despite the offered convenience, the SMs 
raise security and privacy issues regarding the transmission of energy consumptions 
reports over the public networks [4, 5]. 

As explained in [6], the SG is one of the many application domains of Internet of 
Things (IoT) that utilizes the Internet Protocol (IP) for the exchange of information 
between the USP and the SMs. Through the bi-directional communication procedures, 
energy efficiency is realized [7] through dynamic adjustments to the power transmitted. 
Compared with the conventional power grids, SGs offer enhanced efficiency, reliability 
and sustainability [8]. However, many security issues such as Distributed Denial of 
Service (DDoS) lurk in the SG networks targeting the SMs and other SG components. 
In addition, other attacks inherent in conventional public channels [9] are also possible 
in SG networks. 

In most application domains, the SMs are installed outside in an open environment 
within a home. This exposes the SMs to numerous attacks, including physical capture [4, 
10] which may facilitate side-channel attacks through power analysis. According to [6], 
the communication module that interlinks different components introduces security vul- 
nerabilities into the SG as a result of increased complexity and increased surfaces from 
where attacks can be launched against the electrical power system. As such, although the 
SG facilitates automated measurement and visualization of power consumptions, spoof- 
ing attacks are common in this environment [11]. The requirement that SMs transmit 
periodical consumption reports to the USP implies increased chances of eavesdropping. 
Such packet leakages may compromise consumer privacy [12] and may be deployed to 
infer the conditions of home occupancy from captured power consumption reports. 

The USP normally analyzes the received consumption reports from the SMs and 
adjust power transmission appropriately [13]. In so doing, the USP is able to balance 
peak and off-peak power consumptions [14]. However, attackers may capture and modify 
the exchanged reports, leading to erroneous adjustments at the USP [2]. As pointed 
out in [13], demand response management is critical for reliable and efficient power 
management in SG environment. This requires frequent data exchanges between the 
SMs and USP. However, this serves to increase chances of the transmitted data being 
compromised over insecure channels [13]. On the other hand, packet interceptions, 
modification and eavesdropping have been identified in [15] as being serious threats in 
SG networks. 

The decentralized nature of the SGs, with their massive components and complex 
connections have been identified in [16] as being the sources of security, trust and privacy 
issues in this environment. As such, new techniques and protocols are required to deal 
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with this scenario. Authentication is the first step towards SG network security, which 
is followed by agreement on some session keys to protect the exchanged packets [4, 17, 
18]. The assurance of data privacy, mutual authentication, key establishment, anonymity, 
untraceability, and unlinkability is critical in SGs. However, the provisioning of these 
security features at low computation costs is still a challenge [19]. As pointed out in [20], 
there is need for robust authentication protocols to offer support for secure and private 
exchange of information among legitimate entities in SGs. The major contributions of 
this paper include the following: 


Transient security tokens are deployed to dynamically generate the session keys to 
protect the exchanged power consumption reports. 

e All SG network entities communicate using their pseudonyms to uphold their 
anonymity and untraceability during the authentication and key agreement phase. 
Security analysis is executed to show that the proposed protocol offers superior 
security features compared with other related schemes. 

e Performance evaluation is carried out to show that this protocol provides strong secu- 
rity at the lowest execution times and bandwidth requirements compared with other 
related protocols. 


The rest of this paper is organized as follows: Sect. 2 presents related work while 
Sect. 3 gives an illustration of the system model adopted in this paper. On the other 
hand, Sect. 4 presents and discusses the comparative analysis, while Sect. 5 concludes 
the paper and gives future work. 


2 Related Work 


Many SG network authentication and key agreement protocols have been presented in 
literature. For instance, a public and private key based scheme for SMs is presented in 
[21]. However, this protocol is inefficient due to the intensive computations that must 
be executed [22, 23]. A SG message authentication technique is introduced in [24], but 
which is susceptible to DDoS and fails to offer trustworthy mutual authentication [25]. 
On the other hand, an identity-based encryption protocol is developed in [26]. Although 
this approach offers mutual authentication and SM anonymity, it cannot assure session 
key security. In addition, identity-based protocols cannot offer device privacy due to the 
requirement that the identities be exchanged during mutual authentication [27]. Using 
elliptic curve cryptography (ECC), a key agreement and authentication (AKA) protocol 
is presented in [28]. However, this scheme has high communication overheads [7] and 
is generally complicated. 

A blockchain based AKA protocol is introduced in [29] to offer anonymous authen- 
tication in SGs. However, the deployed central authority may present some single point 
of failure [7]. In addition, the blockchain technology employed here has high space and 
computational complexities [30]. On the other hand, the AKA protocol developed in 
[31] is still vulnerable to traceability and impersonation attacks. Based on the public 
key infrastructure (PKI), a lightweight message authentication technique is presented in 
[32]. However, this protocol has high execution time for the deployed private keys and 
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signatures [23]. In addition, PKI may lead to unnecessarily heavy storage and signaling 
complexities among the authenticating entities [33]. Authors in [34] have developed a 
bilinear maps based protocol, but the deployed bilinear maps render it computationally 
intensive [30]. In addition, the USP may fail to detect any malicious SM messages [19]. 

An ECC based lightweight AKA protocol is presented in [35] for clients and SG 
substations authentication. However, this scheme does not offer perfect key secrecy [36]. 
To provide protection against outsider and insider attacks in SG, an attribute based secu- 
rity protocol is introduced in [17]. However, the communication and storage costs of 
this scheme are too high for the computation, transmission and energy limited smart gas 
meter. On the other hand, the scheme presented in [3] is susceptible to impersonation and 
ephemeral secret leakage attacks [37]. The PKI based one-way authentication scheme 
developed in [38] prevented DoS, but has high computation and communication com- 
plexities [4]. The SG AKA protocol presented in [39] is unable to offer authentication 
between two SG entities [40]. On the other hand, the privacy-preserving technique in 
[41] achieves high privacy but provides only one —way authentication. To secure demand 
response, an ECC based protocol is developed in [42]. However, this scheme has scal- 
ability issues and is devoid of initial verification at the USP side which may lead to 
malicious requests being processed at the USP. 

An identity-based AKA scheme is developed in [23] for SG networks, which was 
shown to be resilient against impersonation, replay and MitM attacks. However, this 
protocol is still vulnerable to identity spoofing attacks due to the transmission of SM 
identity in plain-text [43]. Moreover, the protocols presented in [21, 26, 31, 32] and [44] 
offer mutual authentication in SG networks at the expense of high computation over- 
heads. On the other hand, authors in [45] have proposed an anonymous authentication 
protocol for smart grids. However, the scheme in [45] does not consider offline password 
guessing, privileged insider, physical capture and DoS attacks. 


3 System Model 


The network entities involved in the proposed protocol include the registration authority 
(RA), utility service provider (USP), gateway node (GWN) and the smart meter (SM) 
as shown in Fig. 1. 


Utility service provider 
Registration 
Authority 


Smart meter < . 
r a e 5. ashas Thscaurechannels 


Vv 
Gateway Node 


Secure Channels 


„2 
Smart meter 


Fig. 1. Network model 
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As shown in Fig. 1, the smart meters directly communicate with the gateway node, 
which in turn directly communicated with the registration authority. Similarly, the utility 
service provider directly communicates with the registration authority. Here, the smart 
meters measure and submit periodic energy consumption reports to the USP. On the 
other hand, the USP adjusts power transmission and generation based on the received 
reports. The registration authority provides the security tokens and parameters needed 
for the secure transmission and reception of packets over the public channels. As shown 
in Fig. 1, the communication between the GWN and RA is through secured channels, 
similar to the connection between RA and USP. However, the communication between 
SMs and GWN, as well as between USP and GWN is through insecure public channels. 
Table | presents the symbols used in this paper together with their brief descriptions. 


Table 1. Symbols 


Symbol | Description 


RA Registration authority 
USP Utility service provider 
SM Smart meter 

SKs SM’s secret key 

SKy USP’s secret key 


SMp SM’s identity 
PDsm SM’s pseudonym 


PIDyusp_ | USP’s pseudo-identity 


PIDs SM’s pseudo-identity 


TTs SM’s transient token 
Tsm SM’s timestamp during registration 
Tusp USP’s timestamp during registration 


PDysp | USP’s pseudonym 


WL USP’s login parameters 

H Master symmetric key for RA and GWN 
Ti Timestamps during AKA 

h(.) One-way hashing operation 

AT Maximum transmission delays 

Å Session key between SM and USP 


Il Concatenation operation 


®@ XOR operation 


In terms of the execution procedures, the proposed protocol is composed of two major 
phases, which include registration, followed by authentication and key agreement. The 
detailed description of these phases is given in the sub-sections below. 
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3.1 Registration Phase 


In this phase, the RA derives master key H, and registers the smart meters and gateway 
nodes before their actual deployment in the field. To accomplish this, step1 to 5 are 
utilized. 


Step 1: The RA generates shared key SKS and smart meter identity SMID . It then 
derives the smart meter’s pseudonym PDSM = h(SMIDIISKS). Next, using prior com- 
puted security parameters and the smart meter’s current timestamp TSM, the RA derives 
the smart meter’s transient token TTs = h(SMIDIISKSIITSM) and additional security 
parameter Z1 = h(PDSMIISKS). Afterwards, RA sends {PDS, TTS, Z1} to the smart 
meter and gateway node (GWN) through a secure channel. 


Step 2: For the utility service provider (USP) to send and receive messages to and from 
the smart meter, registration at the RA is necessary. This begins by having the USP 
randomly choose its pseudonym PDUSP and send registration request RegReq together 
with PDUSP to the RA over some secure channels. 


Step 3: Upon receiving Regreg, RA generates secret key SKy followed by the derivation 
of the USP’s pseudo-identity PIDusp = h(PDuspllSKy). Next, the RA computes USP’s 
transient token TTy = h(PDuspllSKullTusp). This is followed by the random selection 
of secret number S that it uses to derive Kı = h(PDyspllS) and SKy“ř = h(SKyIIK1). 
Afterwards, RA sends registration response Regres {PIDysp, TTy, K4, he), SKy } to 
the USP through some secure channels. 


Step 4: The SM generates nonce n3 and determines current time stamp TS that are used 
to derive the following parameters: 


R=h(¥||M), P=h(PDusp||L)M 
Q=h(PIDusp|[RI[L||Ki||TTu) 
K=Kı Bh(PDyse||[M) 

PIDusp =PIDuspPh(MI|¥) 
TTu'= TTu@h(PDusell¥) 
SKu”*= SKu"®h(PDysp||M||¥||L) 


It then buffers {PIDusp *, TTy *, Ko, P, SKy **, Q, h(.)} in its memory. 


Step 5: Upon successful registration, RA computes Z2 = h(PIDUSPIISKU), Z3 = 
h(PIDSIISKS) and Z4 = h(SKUIIK1) before constructing Msg1 = EH(PDUSP, PIDUSP, 
TTU, Z2) and sending it to the GWN. Here, shared key H is utilized to decrypt Msg1 to 
yield its contents which are then stored in the GWN’s database. As such, this database 
now contains {PDUSP, PIDUSP, TTU, PIDS, TTS, Z2, Z3, Z4} for subsequent authen- 
tication and key agreement. Figure 2 shows the message flows during the registration 
phase. 

As shown in Fig. 2, four messages are exchanged during the registration phase. The 
RA generates and transmits a number of security parameters to both the USP and GWN. 
In addition, the GWN and USP perform some decryption and independent derivations of 
other security tokens to be used for subsequent authentication and key agreement phase. 
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GWN RA USP 


Generate SKs, SMjp, 
(PDs, TTs, Zs} Derive PDgy, TTs, Z; 
Choose PDysp 


Regreg {PDusp } 


Generate SKy, S 
Compute PIDusp, TTu, . 
K, Sky" Regres {PIDusp, TTu, Ki, h(.), SKu } 


Compute Zo, Iq, Za Select », L, M 
Construct Msg; Derive R, Q, Ky, PIDusp , TTy’, SKy”* 
Buffer {PIDusp , TTy", Kz, P, SKy"’.Q, h(.)} 


Msgi=Es (PDysp, PIDusp, TTu, Z2) 


Decrypt Msg: 


Fig. 2. Registration phase message flows 


3.2 Authentication and Key Agreement 


This phase is triggered whenever the USP wants to access some data from the remote 
SM. To accomplish this, the following steps are executed: 


Step 1: Using PDUSP, w and L, the USP derives the following: 


M=P@h(PDusp||¥) 

Ki= K»®h(PDysp||M) 

PIDusp=PIDusp’ Bh(M||¥) 

TTu=TTy ®h(PDysp||L) and R=h(#||[M) 
Q*=h(PIDuspl|RI[L|[Ki|TTu) 


It then checks whether Q* = Q and if it is not, authentication is terminated. However, 
if this check is successful, the USP generates nonce n1 and determines the current 
timestamp T1. This is followed by the derivation of the following security parameters: 


SKu""= SKu" ®h(PDuspl|M||¥||L) 
Authmi=PIDusp@h(SKy"™ ||T) 
Authy2=PIDs®h(TTy||PDusel|T 1) 
Authys3=h(PIDuspl|TTu|[T) On: 
Authma=h(PDusp||PIDs|[TTu]|qi||T)) 


Finally, it composes Msg? = {Authy1, Authy2, Authyy3, Authy4, Tı } and sends it 
to GWN over insecure channels. 
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Step 2: On receiving Msg2 from the USP, the GWN determines current timestamp 
T2 before checking whether IT2- T;I<AT, and if this is not the case, the authen- 
tication is terminated. However, if this verification is successful, the GWN derives 
PIDusp = Authy3 » h(h(SKull Ki IIT). Next, it retrieves PDusp and TTy correspond- 
ing to the derived PIDusp from its database. This is followed by the derivation of nonce 
NI = Authy3 @ h(PIDysplITTuIlIT1) and Authyss = h(PDyspllPIDsIITTullns IIT 1) before 
verifying that Authys = Authma. If this validation is unsuccessful, the session is termi- 
nated, otherwise the GWN generates nonce nz and determines the current timestamp 
T3. Next, it derives the following security tokens: 


Authme=h(TTs||PIDs)®n2 
Authm7=h(PIDusp|/TTul|q1) Ph(TTs|IT3) 
Authys=h(PIDs||TTs||h(PIDs||SKs)||nolTs) 


Finally, it composes Msg3 = {AuthM6, AuthM7, AuthM8,T3} and transmits it to 
the SM over insecure channels. 

Step 3: Upon receiving Msg3 from GWN, the SM determines current timestamp 
T4 and checks whether IT4- T3I< AT. If this is not the case, the session is terminated. 
However, if this condition is true, the SM re-computes the following security tokens: 


m= Authme @h(TTs| |PIDs) 
h(PIDusp|[TTu||q1)=Authm7Bh(TTs||T3) 
Authvs=h(PIDs||TTs||h(PIDs||SKs)||nollT3) 


It then confirms whether AuthM9 = AuthM68, and if this condition is false, authentication 
session is terminated, otherwise the GWN is successfully authenticated by the SM. 

Step 4: The SM generates nonce n3 and determines current time stamp T5 that are 
used to derive the following parameters: 


Authmio=h(h(PIDyso|[TTuljq1)||Ts) Ons 
Authmi1=h(h(PIDysp|[TTu||1)|[PIDs||Ts) Ph(h(PIDs||SKs)||Ts) 
A=h(h(h(PIDs||SKs)||Ts)||h(PIDusp|[TTu]|1)|[PIDs||n3||Ts) 
Authmi2=h(A\|Ts) 


Thereafter, it constructs Msg4 = {Authyj9, Authmı1, Authyi2, Ts} before transmitting 
it to the USP through some public channels. 

Step 5: Upon receiving Msg4, the USP determines current timestamp T¢ and checks 
whether T6- T5i< AT, and if this is false, the session is terminated. However, if this 
condition is true, the USP derives the following security parameters: 


196 V. O. Nyangaresi et al. 


ns= Authyio@h(h(PIDusp|[TTul|q)|[Ts) 

h(h(PIDs||SKs)||Ts= Authwi1 ®h(h(PIDyspl[TTu||q1)|[PIDs||Ts) 
A*=h(h(h(PIDs||SKs)||Ts)|]h(PIDusp||TTul|q1)|[PIDs||n3|Ts) 
Authm 3=h(A*||Ts) 


This is followed by the confirmation of whether Authyy13 = Authmı2 and if this is not 
the case, the authentication is terminated, otherwise the SM is authenticated by the USP. 
As such, the computed session key A” derived at the USP is valid and both the USP and 
SM set Å” = A as the shared session key to protect the exchanged packets. Figure 3 
shows the message flows during the authentication and key agreement phase. 


USP GWN SM 


Derive M, Kj, PIDysp. TTy, R, Q* 
Generate nı& determine T, 

Compute SKy"", Authy).. Authm4 
Compose Msg» 


Msgo={Authy;, Authy, Authy3;, Authys, Tı} 


Determine T, & validate T, 
Retrieve PDusp, TTu, 

Generate n: & determine T3 

Derive PIDysp, nı, Authms.. Authys 
Compose Msg; 


Msg3={Authys, Authy7, Authms, T3} 


Determine T, & validate T; 
Re-compute np, h(PIDyspl|TT uly). 
Authyyo 


Generate n; & determine Ts 
Compute Authyio.. Authyi2, A 


Msg,= {Authyyjo, Authy;;, Authy)2, Ts} Compose Msg, 


Determine Te & validate T; 
Compute n3, h(h(PIDs||SKs)|T;AUthyo, 
AY, Authyis Trust, set A=A 


Fig. 3. Authentication and key agreement phase 


Based on Fig. 3, a total of three messages are exchanged during the authentication 
and key agreement phase. It is also evident that each of the network entity indepen- 
dently computes a number of ephemeral security parameters that are then deployed to 
verify the received messages before some trust levels can be established among all the 
communicating entities. 
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4 Results and Discussion 


In this section, the security and privacy features provided by the proposed protocol are 
analyzed as elaborated in Sect. 4.1. In addition, the performance evaluation in terms of 
execution time and bandwidth requirements is provided in Sect. 4.2 below. 


4.1 Security Evaluation 


To show the robustness of the proposed protocol against some of the typical smart grid 
attacks, the following eight 


Theorem 1: DoS Attacks are Sufficiently Prevented in the Proposed Protocol. 


Proof: During the authentication and key agreement procedures, the USP security param- 
eters PDusp, Y and L are verified through the confirmation of whether Q¥ = Q. As such, 


the authentication request message Msg2 = {Authm:ı, Authyy2, Authy3, Authy4 } is 
transmitted towards the GWN upon successful local authentication. Devoid of this suc- 
cessful local verification, authentication request cannot be sent over to the GWN. The 
incorporation of timestamps and random nonces renders the computed authentication 
parameters stochastic and hence cannot be easily determined by an adversary for possible 
session hijacking and hence DoS for the legitimate entities. 


Theorem 2: Anonymity and Untraceability are Upheld in the Proposed Protocol. 


Proof: In the proposed protocol, timestamps T1, T2, T3, T4, Ts and Te are deployed 
in all exchanged messages Msg2, Msg3 and Msg4. The same also applies to random 
nonces n1, n2 and n3 during the authentication and key agreement. Consequently, all 
the exchanged messages are session specific and hence an adversary is unable to trace 
the GWN or the SM during the communication process. In addition, pseudo-identities 
PIDusp and PIDs are components of the exchanged messages Msg2, Msg3 and Msg4. 
Since both PIDusp and PIDs are protected by a one-way hashing operation, they cannot 
be reversed to decipher their contents. This is due to the collision-resistance feature of 
the one-way hashing operation. 


Theorem 3: The Proposed Protocol is Resilient Against Replay Attacks. 


Proof: In the proposed protocol, timestamps are incorporated in the exchanged mes- 
sages Msg, Msg3 and Msg4 during authentication and key agreement procedures. Upon 
receipt of each of these messages, freshness checks are executed using the timestamps 
in these messages as well as the permissible transmission delay AT. Consequently, an 
attacker is unable to intercept, modify and forward the transmitted messages due to the 
little transmission delays permitted. 
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Theorem 4: The Proposed Protocol Preserves Forward Key Secrecy. 


Proof: Suppose that an adversary has intercepted exchanged messages Msgo, 
Msg3 and Msg4 during the authentication and key agreement phase. Since 
A — h(h(h(PIDsIISKs)IITs)llh(PIDysplITTyllny IIPIDslIngllT5), the security of the ses- 
sion key is dependent on long term keys PIDusp, PIDs, TTu, SKs and ephemerals nı 
and n3. If an attacker eavesdrops timestamps Tı and Ts, followed by secrets nj and n3, 
still the session key A cannot be derived. This is because it requires long terms secrets 
PIDusp, PIDs, TTy and SKs. Conversely, without knowledge of short term secrets nj 
and 13, the session key A cannot be computed. As such, an adversary can only derive A 
when both short term and long terms secrets are known, which is cumbersome. 


Theorem 5: Man-in-the-Middle Attacks Are Thwarted in the Proposed Protocol. 


Proof: In this attack, it is assumed that an attacker has eavesdropped Msg» = { Auth, 
Authyy2, Authy3, Authyy4, Tı }. Thereafter, an attempt is made to alter this message and 
replay it later on. Here: 


Authmi=PIDusp@Ph(SKu"™ ||T) 
Authyw2=PIDsPh(TTy| |[PDusp| IT) 
Authms=h(PIDusp| TTUT) On: 
Authma=h(PDusp||PIDs||TTu||qi||T 


To carry out this modification, an adversary generates nonce nı and timestamp T1“, 
then computes Authy,; = = PIDusp® h(SKy™ lIT,") to substitute in Msg2. However, 
devoid of long terms secrets PIDysp, PDusp, and SKy ", the attacker is unable to derive 
valid message Msg» nor can other messages exchanged during the authentication and 
key agreement process be derived. 


Theorem 6: The Proposed Protocol is Resilient Against Impersonation Attacks. 


Proof: Suppose that an attacker masquerading as USP attempts to establish an authen- 
tication session with the GWN. To construct a valid authentication message Msgy = 
{ Authyy , Authyo”, Authy3’, Autha”, Ti} for this impersonation, the adversary 
needs to generate current timestamp T;“ and nonce na. However, without valid security 
parameters PIDusp, PIDs and SKy, it is infeasible to compute TT, Authyi" > Authy’, 
Authy3 and Authya. As such, an attacker is unable to generate valid Msg2* and hence 
this attack flops. 

Let us assume that the adversary i is interested i in masquerading as GWN by generating 
current timestamp T3“, nonces ny" and no’. Thereafter, an attempt is made to transmit 
message Msg3" = {Authpyo, Authyy7, Authys,T3° } to the SM. However, devoid of valid 
PIDusp, PIDs and SKs, it is impossible to derive Authye , Authy7 and Authmg” and 
hence i is unable to generate valid Msg3 . Suppose that an attacker generates timestamp 
Ts" , and nonces n“ and n3” . Thereafter, an attempt is made to construct and send 
bogus message Msg4” = {Authio , Authyı1 , Authy12”, Ts} to the USP. However, 
without valid PIDusp, PIDs and SKs, it is impossible to derive Authyio . Authy1 and 
Authyi2", and hence this attack fails. 
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Theorem 7: The Proposed Protocol is Robust Against Physical Capture Attacks. 


Proof: The assumption made here is that an adversary has captured the smart meter and 
has obtained secrets {PDs, TTs, h(PDslIISKs) from the SM’s memory. However, in the 
proposed protocol, security parameters {PDs, TTs, h(PDsIISKs) are assigned by the RA 
and hence are quite distinct for each SM in the smart grid network. As such, the physical 
capture of one SM only yields the session key deployed between the SM and the USP. 
Consequently, the session keys established between other SMs and the USP cannot be 
obtained by the attacker, and hence their security is still intact. 


Theorem 8: Offline Password Guessing and Privileged Insider Attacks are Thwarted 
in the Proposed Protocol. 


Proof: Suppose that some privileged insider intercepts {PDysp} sent from the USP 
towards the RA during the registration phase. It is also assumed that this privileged 
insider has utilized power analysis to retrieve security set {PIDusp_ : TTy »Ko,P, SKu 5 
Q, h(.)} from memory. Thereafter, an attempt is made to derive M = P@h(PDuyspll ). 
However, without knowledge of security token p , this computation fails since it cannot 
be determined from the captured memory parameters. Similarly, without M, security 
parameters PDs and R = h(WllIM) cannot be computed. Table 2 presents the security 
robustness comparisons of the proposed protocol with other related schemes. 


Table 2 Attack model comparisons 


Attack model [23] [35] [4] [45] Proposed 


Offline password guessing — — = = 


Privileged insider = z — 


Physical capture — z = 


Impersonation Ap al 

MitM J af 

Forward key secrecy a} A 
J J 
x X 


Replay 


Anonymity 


BRYA IA RS 


Untraceability x x — 
DoS = — — 
Mutual authentication VA V ay 


RRA IR IRA ARR 


a 


Legend 

./ Effective 

x Ineffective 

— Not considered 


It is evident from Table 2 that the proposed protocol offers the highest number of 
security features compared with the other related schemes. 
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4.2 Performance Analysis 


In this sub-section, the proposed protocol is evaluated in terms of the number of bytes 
exchanged during the authentication and key agreement phase. In addition, the execution 
time for the various cryptographic operations is also provided as discussed below. 


Bandwidth Requirements: During the authentication and key agreement phase, mes- 
sages Msg = {Authy), Authy2, Authy3, Authys, Tı}, Msg3 = {Authye, Authy7, 
Authys,T3} and Msg4 = {Authyio, Authy;, Authyi2, Ts} are exchanged. Using the 
values in [45] and [46], the outputs of the various cryptographic operations are given in 
Table 3 below. 


Table 3. Cryptographic output sizes 


Operation Output size (bytes) 
EC point addition 40 
EC point multiplication 40 
HMAC 20 
SHA 1 16 
AES-128 encryption 16 
AES-128 decryption 16 
Identity 20 
Timestamp 4 
Random nonce 16 


As shown in Table 3, elliptic curve (EC) point encryption and decryption outputs 
are 40 bytes long while the Hash-based Message Authentication Code (HMAC) output 
is 20 bytes. On the other hand, random nonce, one-way hashing, advanced encryption 
standard (AES) encryption and decryption are 16 bytes each. In addition, timestamp and 
device identity are 4 bytes and 20 bytes long respectively. Based on these values, the 
bandwidth requirement of the proposed protocol is computed as follows: 


Msg? = {Authy = Authy2 = Authy3 = Authyz = 16, Tı = 4} = 68 bytes. 
Msg3 = {Authye = Authy7 = Authys = 16, T3 = 4} = 52 bytes. 
Msg; = {Authyio = Auth) = Authmı2 = 16, T5 = 4} = 52 bytes 


Consequently, the total bandwidth requirement in the proposed protocol is 172 bytes. 
On the other hand, the schemes in [4, 23, 35, 45] have bandwidth requirements of 248 
bytes, 298 bytes, 254 bytes and 204 bytes respectively, as shown in Fig. 4. 

It is evident from Fig. 4 that the authentication protocol in [35] has the highest band- 
width requirements while the proposed protocol has the least bandwidth requirements. 
As such, this protocol is the most applicable in a smart grid environment where most 
devices are energy constrained. 


Dynamic Ephemeral and Session Key Generation Protocol 201 


Bandwidth requiremen:s (bytes) 


[4] [23] [35] [45] Proposed 
Protocol 


Fig. 4. Bandwidth requirements comparisons 


Table 4. Execution times comparisons 


Scheme Execution time (ms) 
[45] 0.347 

[4] 17.306 

[35] 15.965 

[23] 15.693 

Proposed 0.05678 


Execution Time: In a typical authentication scheme, one-way hashing Ty, symmetric 
encryption Tg, symmetric decryption Tp, elliptic curve point multiplication Tgm, elliptic 
curve point addition Tga and Hash-based Message Authentication Code Tymac are 
some of the cryptographic operations carried out. In the proposed protocol, 17 one-way 
hashing operations are executed on the USP side while 8 hashing operations are executed 
on the gateway node. On the other hand, 9 hashing operations are carried out on the smart 
meter side. As such, the total computation overhead is 34 hashing operations. Using the 
values in [45], Ty, Tg, Tp and Tgm operations consume 0.00167 ms, 0.0225 ms, 0.042 
ms and 7.5045 ms respectively. As such, the total execution time in the proposed protocol 
is 0.05678 ms as shown in Table 4. 

The scheme in [23] requires 7Ty and 5Tgm operations while the protocol in [35] 
needs 5Ty, 5TEm and 1Tga operations. On the other hand, the scheme in [4] requires 7TH, 
2Tg, 2Tp, 5TEm and 4Tymac operations, while the protocol in [45] needs 16Ty, 2Tp and 
2Tg operations. This explains their high executions times compared with the proposed 
protocol. Since the proposed protocol has the least execution times, it does not overwhelm 
the processors and hence is the most ideal for SG devices that are characterized by limited 
computational power. 
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5 Conclusion and Future Work 


Majority of the conventional smart grid security schemes have been noted to be based on 
public key infrastructure, blockchain, elliptic curve cryptography and bilinear pairing 
operations. However, inefficiency and susceptibility to numerous attacks are some of the 
shortcomings of these security solutions. Owing to the criticality of strong authentication, 
information privacy, key establishment, untraceability, anonymity and unlinkability, a 
novel security protocol is presented in this paper. It is shown that this protocol offers these 
security features at the least execution times and bandwidth requirements. In addition, 
it is demonstrated to be resilient against smart grid attack vectors such as offline pass- 
word guessing, denial of service, packet replays, privileged insider, man-in-the-middle, 
impersonation and physical capture. Consequently, this protocol is ideal for deployment 
in smart gas meters as well as in other smart grid devices with limited computation, 
transmission and energy. Future work in this domain lies in the formal verification of 
the security features provided by this protocol. 
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Abstract. Vehicular safety applications could save lives by sharing data not avail- 
able from line-of-sight sensors but they also require trust among a set of mutually 
distrustful vehicles. We present a scheme for sharing validated vehicular trajectory 
data via vehicle-to-vehicle communication to help reduce traffic collisions. It does 
not require any centralized control or roadside infrastructure to function. Instead, 
vehicles share and validate data directly among each other. Our scheme combines a 
distributed blockchain model to create a permanent set of validated trajectory data. 
Vehicles join one or more consortium blockchains shared among nearby vehicles. 
Within each blockchain, vehicles share data between others nearby through a fully 
decentralized controlled flooding protocol. As blockchain and vehicular networks 
are prone to scalability concerns, we have designed our scheme specifically to 
address them. It limits the number of vehicles participating in each blockchain, 
bounds how widely trajectory data are shared, and organizes and merges redundant 
data to reduce total network traffic. We also discuss several future directions for 
assessing the relative performance profiles of specific blockchain and networking 
implementations. 


Keywords: V2V applications - Blockchain - Vehicular safety 


1 Introduction 


Widespread adoption of inter-vehicular safety applications (IVSAs) could save thou- 
sands of lives lost to traffic collisions every year [1] using vehicle-mounted mobile 
devices to share information among nearby vehicles. Although vehicles can use their 
own line-of-sight sensors to detect and evaluate dangers, many vehicular collisions occur 
specifically because the colliding vehicles cannot see each other. A common example is 
one car with the right-of-way entering an intersection while another, concealed behind 
a large truck, runs a red light and crosses its path (Fig. 1). Such collisions could be pre- 
vented by vehicles sharing their real-time trajectories by wireless communication with 
others nearby. 

For IVSAs, accurate and secure information is vital. Malfunctioning sensors could 
create and distribute bad data. Likewise, malicious participants might deliberately alter 
IVSA data to provoke vehicular collisions. Many mechanisms to track reputation and 
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cad cab cas 


Fig. 1. Traffic collision at an intersection: the blue vehicle has the right-of-way but does not see 
the red vehicle entering the intersection. (Color figure online) 


discourage good behavior have been proposed - [2] provides a good survey - but the recent 
development of blockchain technology offers novel solutions to the challenges of trust. 
In blockchain databases, batches of new data are confirmed by mutual agreement. Rather 
than guaranteeing good behavior, blockchain creates trust between participants because 
any improperly updated data would be easily detected. This offers a strong defense 
against isolated malicious participants - vehicles will get the correct information from 
other, non-malicious sources. 

This paper proposes a peer-to-peer data management framework for blockchain- 
based IVSAs without infrastructure or a stable set of vehicles known to be trustworthy. 
All secure blockchain models require that either certain users are trusted or the blockchain 
is shared by a large user group to prevent its takeover by malicious actors. In IVSAs 
without infrastructure, however, participation of trusted vehicles would be difficult to 
guarantee. Thus, we focus on blockchain models with distributed ownership. A dis- 
tributed blockchain - shared by users with equal standing - requires a fairly numerous 
and continuous population of users to provide data security. 

Although the raw number of participants is readily obtained in IVSAs, group mem- 
bership must still be managed. For example, a group of nearby vehicles belonging to a 
blockchain would periodically lose members over time due to divergent or completed 
travel paths. In fact, it is entirely possible that an IVSA could use a hybrid blockchain 
model. For example, it could combine private and public elements or proof-of-stake inter- 
mittently supported by proof-of-work. Likewise, vehicles could simultaneously belong 
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to multiple groups to help ensure a continuous data flow. In this paper, we are there- 
fore agnostic about the specific blockchain implementation and how it manages group 
membership. 

The core of our framework is managing data flows within the vehicular network. Our 
goal is to ensure fast delivery of useful application data, e.g., the trajectories of nearby 
vehicles. In large-scale IVSAs, delivering every vehicle’s data to every other vehicle is 
undesirable, as the heavy network traffic would delay delivery of immediately useful 
data. In large-scale systems, propagation limits must either be enforced or else arise 
organically and unpredictably when network traffic injections exceed the actual delivery 
capacity. We propose adopting the Self-Balancing Supply/Demand (SBSD) protocols 
[3], which dynamically bound data propagation according to metrics of the data’s age, 
popularity, and distance from the source. 

The rest of this paper is structured as follows. Section 2 discusses a selection of rel- 
evant research. Section 3 briefly covers the basics of blockchain and the SBSD model. 
Section 4 describes how our scheme will operate, in particular the mechanics of gen- 
erating, processing, and sharing data. We conclude in Sect. 5 with a summary of our 
proposal and offer a few future directions for our research. 


2 Related Research 


Useful vehicle-to-vehicle (V2V) communication technologies exist but have not been 
widely implemented. Basic questions, like the selection and usage of wireless communi- 
cation standards and security policies, have not been fully unresolved. Ongoing debates 
involving automakers, technology developers, and government agencies — essentially, 
what technology to use and how to use it - have stalled the adoption of existing technol- 
ogy. In fact, in the United States, half the bandwidth reserved for V2V communications 
was recently released for general usage [4]. 

The recent, explosive growth of the cryptocurrency sector has followed decades 
of research in data security that eventually led to blockchain. Interested readers might 
consult [5] to learn about core blockchain models and their applicability to real-world 
problems. Certainly, blockchain has received a great deal of attention for processing 
financial transactions, reflected in an abundance of research output. Security is naturally 
also a core concern for blockchain research; [6] provides a good introduction to the 
major security issues in blockchain implementations. In vehicular contexts, researchers 
have proposed and evaluated adopting blockchain for various building blocks of secure 
IVSAs, such as: 


Data management via blockchain in vehicular ad hoc networks [7, 8] 

Securely processing payments between electric vehicles and the grid [9] 
Privacy-preserving authentication [10-12] 

Group management: managing blockchain group memberships [13, 14] 

Evaluating the performance of blockchain under the high mobility typical of vehicular 
networks [15]. 


The other element of our scheme is the SBSD model for sharing data. SBSD is an 
alternative to models that manage routing paths in vehicle groups. By including age 
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and distance metrics with packets, SBSD regulates data propagation without directly 
managing vehicle groups. Compared to [14], no clusters need to be managed and no 
cluster heads elected. Similarly, in [13], the blockchains are linked to large spatial areas 
without a mechanism for dynamically changing the covered areas. In contrast, our SBSD 
model is inherently adaptable to changing conditions of vehicle population, effective 
transmission distance, and wireless data transmission capacity. 

SBSD grew out of an earlier model [16] for ranking data according to factors like 
age and popularity, as a mechanism for delivering the most interesting data within trans- 
mission capacity limits. When data flows exceed network capacity, participants must 
decide which packets to forward. In SBSD, only high-ranking packets (e.g., new and 
close their point of origin) are forwarded by receiving vehicles. Analogous to Facebook’s 
EdgeRank algorithm, which ranked the order in which posts would appear in a user’s 
feed, SBSD uses similar methods to regulate data propagation. 


3 Model Components 


Let us now briefly cover the basic concepts of blockchain and SBSD, in Subsects. 3.1 
and 3.2, respectively. 


3.1 Blockchain 


Fundamentally, blockchain is a data management technology for letting mutually dis- 
trustful users share information and quickly verify its correctness. Data is managed in 
batches called blocks. When a new block is created, database records can be added to 
it by blockchain users. However, these records must be approved by consensus - if one 
user tries to insert bad data, other users are expected to reject it and prevent its insertion. 
In IVSAs, vehicles would advertise their own recent trajectory and others would confirm 
its correctness. Eventually, the current block will be full - they hold a finite number of 
records - and it will be permanently added to the blockchain, with a timestamp and hash 
codes to facilitate detection of any changes to the finished block. 

Next, we consider who can use a given blockchain. Blockchains can be public — 
allowing anyone to read and write data — or private, only allowing access to members of 
a single organization. An intermediate possibility is the consortium blockchain model, 
which allows access to members of multiple organizations. However, the larger the pool 
of users, the more work is entailed in getting a majority of users to approve a record. 
To ensure the processing needed to prevent vehicular collisions can happen in real-time, 
each blockchain would be owned by a small, localized vehicle group. 

Within the IVSA context, each new blockchain database record would be a fixed- 
time trajectory segment and each block would let every vehicle add the same number 
of records. Every block would thus cover a known time interval and every record in a 
parent block would predate every record in any of its child blocks. This would facilitate 
recognizing missing records in the block, helping ensure a complete and sequential set 
of traffic data. 

To create a new record, a vehicle announces a set of its own recent trajectory segments. 
When other nearby vehicles confirm the set, confirmed record would be shared with the 
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rest of the group and be added to their block copies. Within an appropriate time after the 
expected end of the block’s time interval, the block would be confirmed by consensus. 
This blockchain model would give vehicles actionable data before finalizing each block. 
In the long term, sources of improperly altered data can be recognized. In cases of 
disputed data, vehicles might cautiously treat all conflicting data as being possible, but 
this policy certainly requires further development. 

Blockchain does present unique security risks since consensus can be gained through 
fraud. For example, a single vehicle controlling many phony vehicle identities could 
confirm bad data. Likewise, a set of malicious users with a simple majority of the 
group could achieve the same outcome, i.e., a 51% percent attack. Although it would be 
possible for a trusted authority (such as roadside infrastructure) to provide this security, 
we envision a system distributed over the vehicles themselves. In this case, a trusted 
blockchain should have its ownership shared over a large group of users over time, with 
reliable user verification. 

Because blockchain is a novel technology with standards still in development, there 
are many questions about how a blockchain system with adequate security and speed 
would be implemented. We do not address that question in this paper nor claim superiority 
for a particular blockchain implementation, e.g., in the proof-of-work vs. proof-of-stake 
approaches. In fact, a single system might well use multiple blockchain technologies. 

For example, hybrid systems like Decred employ both proof-of-stake (for its low 
energy consumption) and proof-of-work (to offer security against large but malicious 
cryptocurrency holders). Accordingly, we believe the membership application should be 
a modular one, which simply gathers vehicle population data and, when needed, forwards 
that information to the various blockchain users. Ideally, this application should also be 
able to automatically regulate bandwidth consumption among a background of other 
V2V applications. 


3.2 Self-balancing Supply/Demand 


The SBSD framework provides a low-overhead probabilistic framework for regulating 
network traffic flows. Fundamentally, SBSD is a controlled flooding protocol which 
dynamically limits every packet’s flooding extent. To limit propagation, vehicles only 
forward (via broadcast) the most relevant packets within the limits of their transmission 
capacity. Each packet’s header stores its age and hop count from its source to allow 
calculating the relevance metric: 


1/[(age) (hops)!/2] (1) 


As a packet travels away from its source, each hop increases the hop count and 
the packet gets older, decreasing the packet’s relevance and making it less likely to be 
forwarded again. 

The relevance metric may be multiplied by a popularity factor, frequency, which 
tracks the number of times a packet is independently created. For example, an urgent 
safety message might be simultaneously created by multiple vehicles. Frequency will 
multiply the relevance metric above, i.e.: 


(frequency)/| (age) (hops)!/2| (2) 
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More popular content has higher relevance, all else equal, causing those packets to 
be forwarded for longer and over a larger area. For a blockchain group, frequency could 
also be aligned with group populations and areas, so that packets are flooded over the 
approximate extent of the group. 

Finally, to hasten packet delivery in the network, new packets are transmitted accord- 
ing to a binary exponential backoff model. A packet received at a node n with enough 
relevance to be forwarded will typically be forwarded at n’s next opportunity to trans- 
mit. Thereafter, subsequent retransmissions will take about twice as long. This approach 
helps ensure that new data injected into the network will be quickly shared but retrans- 
missions will substantially slow down after most nodes in the vicinity have probably 
already received it. 


4 Model Operation 


This section describes how our scheme shares and processes vehicle trajectory data in a 
blockchain. We assume that the blockchain mechanics — like tracking membership and 
finalizing each block — are handled outside of our scheme. We also note that our scheme 
is inherently designed to accommodate vehicles simultaneously belonging to more than 
one blockchain. 

In our scheme, vehicles maintain a table of data for each blockchain, consisting 
of a list of vehicles, their trajectories, and the sources of that data. We describe the 
data vehicles generate and transmit (Sect. 4.1), then how recipients process the data 
(Sect. 4.2), how the data may be forwarded (Sect. 4.3), and beneficial aspects of our 
approach (Sect. 4.4). 


4.1 Generation 


Each vehicle will periodically measure and transmit its own trajectory to other nearby 
vehicles, with itself as the source. Let the transmitting vehicle be v, and the set of recipi- 
ents be V. The source vs will add its own trajectory t, to the tables for its blockchains. The 
initial relevance of the packet will be created with age and hops at 0. Because the packet 
will have high relevance, it will be transmitted immediately and then given priority in 
forwarding. 


4.2 Processing 


When a vehicle v, in V receives the packet from vs, it will compare the new data to its 
own last confirmed trajectory from vs. If the data appears correct, it will add its own 
identifier to the packet payload. Ideally, the data verification would use line-of-sight 
but alternative methods could be used for vehicles that cannot be seen due to terrain 
obstacles. For example, v, could verify that the recent trajectory segments connect and 
any speed changes are plausible for vs. 

The updated trajectory data would be kept as a tree list of verifications for the 
trajectory. For each vehicle in the blockchain, v; would maintain entries as a list starting 
with the root — the source vehicle vs — and the sequence in which verifications were 
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made. In the tree graph, all vehicles in V would be child nodes of vg and each vehicle 
in V could have its own child nodes, vehicles which did not receive the trajectory data 
directly from v.. 

For any {time interval, vehicle} pair, multiple trajectory measurements could exist. 
However, without tampering, each vehicle ultimately can only confirm one of them. 
Thus, the number of votes for a particular trajectory is simply the number of confirming 
vehicles in the tree. When enough votes for a particular trajectory are obtained (either 
a majority or some supermajority, depending on the blockchain model), the trajectory 
can be added to the blockchain as a permanent record. 


4.3 Forwarding 


Vehicles will packetize the tree lists of trajectory data and forward the data to nearby 
vehicles. Prior to transmitting, the forwarding vehicle will update the hop and age metrics 
so that each transmission is already updated at receipt. To use network transmission 
capacity more efficiently, tree lists with similar relevance might be bundled together and 
transmitted as batches. 

Recall that each vehicle in a blockchain knows all members of that blockchain 
and that vehicles may belong to multiple blockchains. To limit superfluous forwarding, 
vehicles only forward data involving vehicles from their own blockchain group(s). Any 
vehicle receiving a packet about a vehicle not in its blockchain(s) would simply not 
forward it. 


4.4 Verification 


Trajectories that cannot be directly verified by a vehicle’s line-of-sight-sensors must, 
inevitably, accept data from those with direct knowledge. So, our scheme is designed 
to facilitate detection of bad data received indirectly. An immediate alteration of a new 
trajectory generated by a vehicle vs will not succeed because other vehicles directly verify 
the trajectory of vs. The alteration would be easily detected. However, later elements of 
a tree list, which cannot be directly verified, are a more serious concern. 

The existence and sharing of multiple copies of trajectory data, received from mul- 
tiple sources, provides security against isolated incidents of tampering. For example, 
if a tree list entry shows a vehicle confirming two different trajectories, vehicles can 
recognize and exclude the vehicle providing the bad data. Two foreseeable malicious 
actions are altering trajectory data and altering vehicles in the tree lists: 

Altering Trajectory Data: If a vehicle v forwards an incorrect trajectory, other 
vehicles earlier in the sequence will recognize it. They can see that v sent bad data that 
did not match what they confirmed. Downstream vehicles from v will likewise recognize 
that v’s claims conflict with others from the same source, the parent node of v in the tree 
list. 

Altering Vehicle Identities: Suppose a vehicle v changes the tree list, either altering 
a vehicle identity v’ or changing the sequence of confirmations. Then, v transmits the 
changed list. Again, recipients will recognize the change. If they received data directly 
from v’, they know that v changed the data and will not confirm it. This will prevent 
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v from gaining a majority in the blockchain voting process even if all other vehicles 
confirm both versions of the tree list. 

Malicious alteration attempts like the above by single vehicles are typically easily 
detected. However, coordinated malicious behavior by groups of nodes cannot always 
be stopped. Still, this is not a disqualifying weakness for blockchain. In any shared 
database system, some users must be able to make updates and might act maliciously. 
Blockchain relies on making coordinated malicious behavior prohibitively difficult — 
there are simpler and more certain ways to cause harm than getting multiple vehicles to 
travel together and deliberately manipulate vehicular safety data. 


5 Conclusion 


This paper presented a framework for combining blockchain and SBSD as a secure, scal- 
able, and decentralized solution to sharing information in IVSAs. Certainly, there remain 
many details to clarify and questions to resolve. Our next steps will be to clearly model 
blockchain implementations, including security policies and membership management. 
Then, we will run the corresponding simulations of V2V applications. This will provide 
better understanding of the tradeoffs from different blockchain models regarding the 
timeliness, completeness, and security of IVSA data. Many performance comparisons 
can be made for variables such as: 


e Data delivery and confirmation speed: Assuming trustworthy vehicles, how quickly 
can data be shared and confirmed within the entire group? 

e Faulty or malicious group members: How is IVSA performance affected by isolated 
or small groups of malicious vehicles? 

e Group membership convergence: How is IVSA performance affected by frequent 
changes in group membership? 

e Network overhead: How much network traffic is required to deliver group membership 
information? 

e Reliability: What guarantees are given that required information arrives? 


In the coming years, vehicular safety technology will continue to be developed 
and standardized. Growing adoption of 5G technology will alleviate data transmission 
bottlenecks, allowing more data to be shared faster and over larger areas. Self-driving 
cars will become more common and perhaps ubiquitous. We look forward to seeing how 
these trends converge in vehicular safety applications. 
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Abstract. Real-time Traffic information sharing can make the trans- 
portation more effective, which requires the vehicles on the road to partic- 
ipate in the road condition report actively. However, in the untrustworthy 
network environment, malicious traffic information dissemination will 
result in severe traffic issues, meanwhile, the risk of disclosure of users’ 
privacy information may also be increased. To address these problems, 
we propose a trust-based and secure real-time traffic information sharing 
scheme. Particularly, the trust value of the vehicle is calculated by the 
trusted organization, and the system updates the real road conditions 
according to the calculated results. Moreover, we utilize the improved 
pairing-free certificateless aggregate signature technique to provide the 
security service. As shown in the simulation results, the computing cost 
can be reduced because of using aggregate signature technique. In addi- 
tion, the reliability of data is improved through trust management of 
vehicle users, and the sybil attack can be alleviated. 


Keywords: Internet of vehicle - Real-time traffic information sharing - 
Trust - Anonymity 


1 Introduction 


According to the statistics, licensed vehicles exceed 1 billion around the world, a 
number that will double in the next 10 to 20 years. The explosive growth of car 
ownership has caused many serious social problems, such as road safety, traffic 
congestion and air pollution [3]. In order to make the vehicle driving environ- 
ment safe and efficient, vehicles can upload the ultramodern traffic information 
with the various kinds of communication devices and vehicle-mounted transducer 
[9,16]. At present, the traffic information sharing schemes based on GPS (Global 
Positioning System) positioning have been widely studied and applied [4], but 
they can not reflect the accurate traffic information. In these schemes, the report- 
ing vehicle voluntarily uploads its GPS information to a trusted agency, but 
these schemes lack privacy and data security protection as well as information 
authenticity judgment. For these reasons, the development of traffic information 
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sharing system has been seriously affected. When the reporting vehicle reports 
the traffic information, its reporting information is no longer controlled by itself, 
but calculated and processed by RSU (Roadside Units) and TA (Trusted Agen- 
cies). Therefore, how to ensure the integrity of the reported traffic information 
and the confidentiality of the reported vehicle has become a new challenge for 
traffic information sharing [10]. In the meantime, due to the lack of verifica- 
tion measures, the exactitude of the traffic information sharing will be reduced 
when the malicious vehicles distribute the incorrect road condition information 
deliberately in the system, thus affecting the efficiency and safety of vehicles 
on the road. Therefore, academic boffins have been aware of the assurance of 
the security in IoV (Internet-of-Vehicles). In the ordinary way, cryptography- 
based solutions [15] and trust-based solutions [5] are the two ways to address 
the security issues in the IoV. 

To solve the above problems, this paper introduces the ideas of certificateless 
aggregate signature and trust management into the traffic information sharing. 
The general process of the system can be described as follows. RSU send the 
massage to the nearby verifying vehicles when the RSU receive the road infor- 
mation from the reporting vehicle, and then verifying vehicles will give their 
feedbacks. After RSU verifying the legitimacy of the vehicles, it will send all 
vehicles’ massages to the TA (Trusted Institutions) by aggregation signatures. 
After that, to prevent the spread of malicious messages, TA calculates trust 
value from vehicles by using trust management. During the whole process, the 
privacy of the user’s vehicle will not be disclosed to any party. Underneath, we 
have summed up the main contributions in this paper: 


— An effective trust evaluation scheme is designed. Vehicles can share the traf- 
fic information independently in the scheme, which can avert the malicious 
vehicles diffusing the incorrect information to the scheme. 

— To ensure that only legitimate vehicles are certified, a certificateless encryp- 
tion and aggregate signature technique [6] is equipped, which can also protect 
the privacy of the user’s vehicle. 

— By using aggregate signature technique, the computing cost is reduced. In 
addition, the reliability of data is improved through credit management of 
vehicle users, and the sybil attack can be alleviated. 


2 Related Work 


2.1 Trust Management 


Currently, trust has become momentous in the IoV. Trust scheme foresee the 
uers’ future behaviour by calculating the past-reputation. Trust management 
scheme plays an important role in the security and privacy of user information 
in the Internet of Vehicles. In the traffic information sharing system, the trust 
value describes the user’s expectation also as known as trust level, and employs 
the user vehicle’s historical interaction experience to reduce various threats and 
risks by trust management. The author proposes a true-filtering algorithm for 
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wireless sensor networks. The basic idea is that if the data of the user’s vehicle 
is closer to the preset credit score, it will be assigned a higher weight, and the 
data provided by the user’s vehicle with a higher weight will be more likely to be 
considered as the true feedback information [11]. In order to deal with the report 
of false news, Zhang, C. et al. [13] proposes an artificial intelligence trust man- 
agement system for vehicle-mounted network based on blockchain technology. 
Malicious vehicles can occur in the scheme for a longtime because the system 
don’t exist the punitive measure to the evil users. The fatal part in the traffic 
information sharing scheme is zapping the malicious vehicles [12]. A protocol for 
anonymously aggregating vehicle notifications in a base station controller is pro- 
posed. It uses identities-based group signature technology to achieve conditional 
privacy. If a malicious vehicle sends a false message, the trusted institution can 
track its identity in an anonymous announcement through the public address of 
the blockchain [7]. 


2.2 Certificateless Aggregate Signature 


In 2003, Al-Riyami et al. proposed the Certificateless public key cryptography 
in the Asian Society of Secrets, and the cryptosystem was gradually studied and 
applied in the V2N system. A new, efficient, certificateless set signature based 
on elliptic curve cryptosystem is proposed, and its ability to support conditional 
privacy protection is proved [2]. In order to deal with the problem that encrypted 
data is difficult to search after encryption, Du, H. et al. [1] proposes a scheme to 
grant the cloud server the right to perform equality tests on encrypted data. This 
scheme can retrieve the results without the cloud server knowing any relevant 
information of the ciphertext [8]. A lightweight certificateless and pairing-free 
scheme is proposed, which is feasible without infrastructure. The scheme can 
resist attacks with a small computational cost. Some studies have proposed a 
privacy-protected certificateless set signature scheme based on hierarchical trust 
institutions for message authentication. The scheme does not require key escrow, 
and any entity within the scheme can verify the messages received by vehicles 
running under different trust institutions. In this paper, we utilize the improved 
pairing-free certificateless aggregate signature technique [6] to provide the secu- 
rity service in our scheme. 


3 System Background 


In this section, we describe the background of the system, including the system 
model and the adversary model. 


3.1 System Model 


The system model is mainly composed of three parts: vehicle, TA and RSU. 
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— Vehicles: These nodes are OBUs (On Board Unit) on the vehicle and have 
some storage capability. The vehicle can actively report the road condition 
information to the nearby RSU, and also put forward its own opinion on the 
road condition information sent by the RSU and report the opinion to the 
RSU. In this scheme, vehicles are divided into reporting vehicles and verifi- 
cation vehicles. 


Reporting vehicle: The reporting vehicle can report its road condition infor- 
mation to the RSU at any time and wait for the system to verify the correct- 
ness of the message through calculation. 


Verification vehicles: These vehicles receive traffic information from the RSU 
and choose whether or not to participate in the validation. When verifying 
the vehicle validation message, it sends its opinion, agree or disagree with 
the traffic information reported by the vehicle to the RSU and waits for the 
system to verify. 


— TA (Trusted Authority): This entity is responsible for all participants and 
maintains a database to store the trust value of the user’s vehicle. It has full 
resource storage and data computing capabilities. The trusted agency can 
calculate the credibility of each vehicle based on the data submitted by the 
RSU to determine whether the traffic information is true or not. Based on 
the results of the calculation, the traffic information is updated and the lying 
vehicle is punished. 


— RSU (Roadside Units): The RSU, known as the roadside unit, is a subsidiary 
of the trusted authority TA. It has limited resources but higher computing 
power than the vehicle to ensure that the RSU can verify the legitimacy of 
the user’s vehicle identity and perform the aggregation operation to send to 
the trusted authority TA. 


3.2 Adversary Model 


Both reporting vehicles and verifying vehicles will attempt to upload false traffic 
information to the system to interfere with the normal traffic environment. The 
main attack in this paper is message spoofing attack, in which the attacker covers 
up the real information of the road condition by reporting false information to 
the RSU. For example, a malicious vehicle may send a traffic jam to a nearby 
RSU when the road is clear for its own purposes. 


4 Proposed Scheme 


A road condition evaluation scheme based on privacy and trust management is 
proposed, which includes system overview, vehicle reporting and authentication 
stage, and information management and verification stage (Fig. 1). 
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Fig. 1. System architecture 


4.1 Overview 


The vehicle reports the road condition information to the RSU, which is called 
the reporting vehicle. The RSU sends the road condition information to other 
nearby vehicles other than the reporting vehicle, and the other nearby vehicles 
are called verification vehicles. Verify that the vehicle submits its opinion to the 
RSU regarding the road condition information, agrees or disagrees. The RSU 
then verifies the legitimacy of the vehicle through a certificateless encryption 
scheme. When the verified vehicle passes the verification, the RSU submits the 
vehicle information and road condition opinions of the verified vehicle to the 
TA through the aggregate signature. TA calculates and verifies the authentic- 
ity of the road condition information submitted by the vehicle with the trust 
evaluation algorithm based on the historical data of the vehicle. Based on the 
verification results, TA records the report of the vehicle and verifies the new 
credit score of the vehicle and updates the latest traffic conditions on the traffic 
information sharing system according to the results of the trust evaluation algo- 
rithm (Table 1). 


4.2 System Initialization 


Vehicle outputs the following system parameters when it gets the security param- 
eter ke Zt. Select a group G of prime order q and a generator P of the group 
G. Compute vehicle’s master public Ppub = sP which s is master secret key by 
choosing s € Z*. Pick hash functions H: Gx G — Z%,H,: {0,1} x G xG— 
Zi, Hz: {0,1}" x {0,1}" xG > Zz, and Hə : {0,1}" x {0,1}" xG > Z* for i = 
3,4. Publish system parameters as params = {q,G, P, Pow, H, Hi, H2, H3, H4} 
and keep master secret keys secure. 
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Table 1. Formalized notations involved in traffic information sharing scheme 


Notation Descriptions 

k Security parameter 

q Prime 

G Cyclic group of prime order q 
params System parameter 

Zq Finite field 

Zà Zq/0 

A, H2, H3, H4 | Cryptographic hash function 
(Ppub, 8) Public and private key pair of TA 
RID; Real identity of V 

ID; Pseudo identity of V 

D; Partial private key of V 

(PK;, SKi) Public and private key pair of V 
ROT Role-oriented trust 

isT Credit scores for individual vehicles 
d Distance score 

E Tier-boundary 

Trust Whether the message is trusted 


4.3 Vehicle Registration and Verification Stage 


With the input of params and s, the real identity of Vehicle RID;, TA com- 
putes the following vehicles partial private key. Choosing r;e Z% and comput- 
ing Ri = r;P. Compute the pseudoidentity ID; = RID; © H (riPow,Ti), 
which T; is the validity period of the corresponding pseudo identity. Gener- 
ate hii = Hı (ID;, Ri, Poub) and d; =T shıimodq. TA send the (ID;, Ri, D;) 
to the homologous vehicle and install D; = (d;, Ri). Vehicle will compute the 
equation dip = Ri + hii Ppup. If the equation eligible, vehicle will accept the 
partial private key D; for ID; at T;. Each vehicle performs the following to 
generate the public and private key pairs when they accept the D; = (di, Ri). 
Compute X; = x;P where x;¢Zj as the secret key and set PK; = (Xi, Ri) 
sa public key and SK; = (a;,d;) as the secret key. When the public key and 
the secret key set done, vehicle will signature for a given massage m; € {0,1}* 
with the [D;,S4;, params and current timestamp ti. Choose y; €Z% and com- 
pute Y; = yuP. Let u; = Hə (mi, ID;, Yii) W; = (ui (yi + hzixi) + haidi) P 
where hsi = Az (mi, ID;, PK;, ti), ha; = H4 (mi, ID;, PK;, ti). Output a sig- 
nature o; = (Yi;,W;) on the message mi; ||t;. When the RSU get the given 
massage from the vehicle, RSU computes h3; = H3(m;,1D;,PKi,ti), hsi = 
H, (mi, ID;, PK;, ti) and u; = Hə (m, I Di, Yi) to accept the signature when 
the W; — u; (Y; + h3iXi) = ha; (Ri + hiıiPPub) holds. Plus, RSU will generate 
aggregate signatures øo which collected by n distinct signatures (o;); = 1,...,n 
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on different messages (my ||ti);-1,, from different vehicles with corresponding 
identities (ID,); = 1,....n. o = (Y,W), where W = 7", WY = 0, Yii, 
ui = Hə (mi, I Di, Yii). RSU send o = (Y,W) to the TA. TA check whether the 
W-Y-U= oar hay (Ri + hiiPPub) holds, where hy; = Hı (ID;, Ri, Ppub). 
hzi = H3 (mi, 1D;, PK;, ti), ha; = Ay (mi, 1D;, PKi, ti), U = pen ujhs; Xj. If 
it holds, accepts the aggregated signature ø, else rejects. 


4.4 Trust Management 


After the Verification vehicle entity is evaluated, the next step is evaluate the 
data sent by the verification vehicle. The trust score is defined as follows: 


isT = f (d, ROT) (1) 


The formula describes the two parameters of isT. Since the occurrence of traffic 
accidents is highly deterministic, the trust function must consider the trust value 
of the verified vehicle and the accurate geographical location, that is, the trust 
value of the vehicle Vtrust is represented by ROT and effective distance of the 
vehicle is represented by d. Further, the formula can be described as: 


n 


isT = — Y e ROT (2) 


n=1 


Firstly, TA compute the trust value ROT. When a vehicle is first registered with 
TA, TA will assign an initial value to the vehicle. Every vehicle is considered 
as the part of the trust network, which includes official vehicles, public vehicles 
and private cars. Our trust management scheme integrates all the vehicles on 
the road and the initial trust value may vary depending on their identity. This 
article uses the following method to assign the initial trust value 


0.8-1 if veh = Authority Vehicles 
ROT = 4 0.6—0.8 if veh = Public Transport Vehicles (3) 
0.4—0.6 if veh = Traditional Vehicles 


We divide the cars as three types on account of the relationship with the author- 
ities. 

Authority Vehicles: Such vehicles include police cars, ambulances, etc., which 
are authorized by central authorities, so they are highly credible. 

Public Transport Vehicles: Such vehicles include buses as well as taxis oper- 
ated by government companies, which are considered to be moderately reliable 
because they are authorized by specific government departments. 

Traditional Vehicles: These vehicles are social vehicles with no relationship with 
the authorities like Uber service cars or other private cars. Such vehicles have 
no connection with the authorities so these vehicles must remain honest in the 
network so that their information can make an impact in the network. 


ROT = n x ROT! + (1 — n) x ROT’ (4) 
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We adopt the improved (EMWA: Exponential weight moving average) technique 
to calculate the future credit value of the vehicle. Where ROT'+!, ROT! and 
ROT'~! respectively represent the vehicle’s future, current and historical credit 
values. And we also defines the influence factor 7 to influence the influence of 
the credit value in different historical time on the future credit value. A higher 
weight is given to the first two vehicle (Authority Vehicles, Public Transport 
Vehicles) 

ee <n< 1.0 if veh = Vav, Vptv (5) 

0.5<7<0.7 if veh = Vw 


Note that some user vehicles may increase their trust value by performing well 
at first, but intentionally underperform when the trust value is high enough. For 
this reason, we further designed a trust circuit breaker mechanism, as shown 
below: 


ROT'+1 i ROT!+! > ROTthreshold 
ROL = F a ROT!+! < ROTthreshold (6) 


Through the formula, we can calculate whether the future credit value is greater 
than the predetermined value of the system. Through calculation, we conclude 
that the predetermined value needs to be satisfied at least ROTtrreshold > 9.9 
otherwise the newly registered traditional vehicle will not be able to update their 
scores. Further, when ROT't! = 0, the circuit breaker mechanism is triggered, 
the predicted trust value will be reduced to ROT't+! = a. ROT", where ae (0,1), 
called the penalty factor. This will allow the attacker to spend more time to 
improve their reputation to the previous level. 

After that, TA calculates the distance between the verification vehicle and 
reporting vehicle, 


2 
dis = (senders = Ming)” ate (™Msendery E Miny) (7) 


where MsSenders, MSender, represents the coordinates x and y of the reporting 
vehicle. Min, Min, Tepresents the coordinate x and y of the i-th verification 
vehicle. In addition, the distance coefficient £ is defined. As shown in the Fig. 2, 
the location of the reporting vehicle v; is divided into three geographical areas, 
including high confidence area, medium confidence area and low confidence area. 
In practical application, the shape of this area may change with the actual 
situation of the road. For the sake of loss of generality, we assume that all three 
layers are circular, 

1 0< dis < &y 

d= 0.6 ĉi < dis < E2 (8) 
0.3 &2 < dis < £3 


Once each parameter (d, ROT) has been calculated, TA divides the vehicle 
into two groups based on the message m; = (lor0) upload by the validation 


vehicle (Vi, V2, V3,..., Vn) and calculates the isT of each group, where isT, = 
-5 e ROT 


if Trust > 0, m; = 1 is taken as the opinion of the verified vehicle, else, m; = 0 


A Trust-Based and Secure Real-Time Traffic Information Sharing Scheme 225 


Fig. 2. Threshold approach 


is taken as the opinion of the verified vehicle. After TA calculates the truth of 
the road condition information, TA will increase or decrease the reputation score 
of the vehicles in the corresponding verification vehicle group and the reporting 
vehicle according to the result, and carry out the traffic information sharing 
system update. 


5 Scheme Analysis 


According to the security objectives of the previous adversary model, the fol- 
lowing analysis as follows 


5.1 Trust Management 


Unregistered vehicles can be effectively excluded from the system through the 
system initialization phase. When receiving road condition information, TA can 
score the different opinions on the same traffic accident through the trust man- 
agement scheme, so as to select the true opinions representing the group. In 
the calculation of trust value, vehicles with better historical performance and 
closer to the accident site are given higher weight, so as to ensure that the traffic 
information provided is true and reliable, and resist the reporting of false news 
of malicious vehicles. 


5.2 Resistance to Sybil Attacks 


Because of Sybil attack, the reliability of traffic information and the operation 
of evaluation mechanism will be greatly damaged [14]. In this scheme, a penalty 
factor is introduced to make the trust value of the vehicle drop rapidly after the 
malicious behavior. And since the credit score is related to the historical credit 
score, it takes more effort for the vehicle to restore its trust score to a higher 
level after committing a malicious act. Figure 4 shows the status of a vehicle’s 
reputation when it spreads malicious messages. Apparently, the more malicious 
vehicles spread the false traffic information, the more trust value be deduct. 
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Fig. 3. Trust value changing of malicious messages 


5.3 Performance Evaluation 


We use a personal computer conduct a test which we put forward in this paper. 
The computer’s core is Intel 15-9300H. RAM is 16.00 GB. The operation system 
is 64-b windows 10. We accomplish the cryptosystem with Java and the compiler 
is IDEA. As one shall see from Fig.3, the time cost of aggregate signature and 
aggregate signature verification steps increases with the increase of the vehicle 
number. The total time cost of our scheme is extremely fast. At the same time, 
compared with single signature verification, aggregate signature verification has 
the advantages of low computational overhead, so it is more suitable for resource- 
constrained network environments such as the Internet of vehicles. 
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Fig. 4. Total time cost 
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6 Conclusion 


Aiming at the problem of traffic information sharing, this paper proposes a trust- 
based and secure real-time traffic information sharing scheme. In this paper, the 
certificateless aggregate signature technique is used to achieve the integrity, iden- 
tity verifiability and non-repudiation of data. The trust management system is 
introduced to improve the reliability of data. Using aggregate signature tech- 
nology, the computing cost is reduced. In order to protect the privacy of users, 
this paper realizes the anonymity of users by generating pseudonyms for users. 
Finally, through the simulation, the incentive of the scheme is verified, and the 
effectiveness of the proposed scheme is proved from the aspect of computational 
cost. 
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Abstract. Education, personal self-development, and overall learning 
have vastly changed over the years as a result of historical events, 
methodologies, and technologies. As students first, and then as educators, 
we have only seen slight changes in the delivery of educational content, 
with the most accepted model being “one system fits all”, we have seen 
content and delivery mediums, but little about differentiating or person- 
alizing the education experience. We challenge this traditional model by 
implementing an Adaptive Training Framework based on AI techniques 
through a Dynamic Difficulty Adjustment agent. We have conducted a 
limited sample size experiment to prove that personalized content allows 
the learner to achieve more than a static model. 


Keywords: Dynamic Difficulty Adjustment (DDA) + DDA deep 
reinforcement learning - Mathematical DDA - DDA in education - 
Gamification in education 


1 Introduction 


As students then and educators now, we are often in the position of following the 
footsteps of our predecessors in a mission to spread knowledge and educate the 
next generations. What may start as one of the most exciting professions soon 
becomes a more significant endeavour that we may have hoped to deal with. As 
this paper will mainly focus on, university education requires continuous work, 
which often leaves us with little to no time to improve our coursework beyond 
the standard. 

As we move towards education as a commodity that can be accessed across 
any media, more questions arise about whether or not standards can be main- 
tained to engage with the ever-increasing student population. 
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An increased number of students have created burdens on the system, reflect- 
ing on the quality of life of educators. Watts and Robertson in [1] identify three 
main characteristics, emotional exhaustion, depersonalization and dissatisfac- 
tion, as critical indicators of burnout syndromes in universities and how this 
impacts not only the personal life but also the quality of teaching. 

With these critical findings, how can we guarantee quality and also an excep- 
tional student experience? Under this pressure, the ideals of young educators 
fall back into ‘provide the minimum required standard’, or the comfortable, one 
method fits all. 

This has motivated us to go beyond these thoughts and find ways to make 
students’ lives more rewarding and educators’ role simpler by applying an adap- 
tive framework that only requires to be developed once and updated less, which 
can provide a higher level of study experience to our young future professionals. 
In creating our novel approach, one of the key features was implementing an 
assessment system based on flow theory. Csikszentmihalyi [2] - the creator of 
this theory, explains that “there exists a state of mind called FLOW, where the 
user’s engagement and learning are maximized, and that happens when the task 
ahead is of a well-adjusted difficulty for the user, not to seem too easy, nor too 
difficult.” 

This theory is vastly used in creating artificial intelligence for video games to 
keep the player engaged, making the game neither too difficult nor too easy. We 
adapt this to allow us to create a personalized experience for each student. Using 
this method, students always need to face a task ahead of the right difficulty, 
as we assume that all students are different and learn at a different pace. This 
way, students who are slower than others do not face tasks so tricky that makes 
them drop out, and those who are faster are not bored because the tasks are too 
easy for them. How we implemented, it is better described in the experimental 
methodology. 

In this paper, we have taken a simple approach, by our admission, but further 
studies will provide more significant insights. Furthermore, as proved by our 
experiments, we are very optimistic that this is only the foundation of a long- 
term project which will boldly target changing how we assess students today. 


2 Student Engagement and Gamification 


2.1 Engagement and Learning Styles 


Student engagement is also defined as “students’ involvement with activities and 
conditions”, which aim to facilitate high-quality learning [3]. The improvement 
of student involvement has been one of the primary missions and challenges for 
higher education regardless of educational formats. While student engagement 
is derived from many underlying factors, many teaching approaches (e.g., active 
learning) have been adopted and suggested to either build or enhance student 
engagement in various higher education fields (Fig. 1). 
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Fig. 1. Flow theory in practice 


Given the differences in personality types, professional/educational experi- 
ence and expectations, and adaptive competencies, individual students have their 
ways of gaining knowledge and skills [4]. This opinion may raise the question of 
considering student learning styles to design and improve learning structures 
and courses. Where several studies suggest the use of learning style theory as 
a potential tool to assist students in improving their learning performance [5], 
there are concerns toward the course customization based on learning styles, 
mainly due to problems of measurement [6]. 

According to an AUSSE report, ‘appropriate levels of intellectual challenge 
along with sufficient education support’ play an essential role in increasing stu- 
dent involvement in their work, and this further gives a positive effect on their 
learning outcomes [3]. Given the generic learning activities and assessment, it 
often relies on the individual class tutor or unit chair to generate the ‘appro- 
priate levels of learning challenges’, which could be challenging for many tutors 
and unit chairs. This challenge may lead to the hype of using gamification in 
many educational fields. 


2.2 Gamification in Education 


The use of game elements/features has been one of the educational trends for 
the past few years. Although the focus of studies is different, some experimental 
studies identified the positive impact of using game elements/features in stu- 
dent motivation, attention and learning performance [7]. This positive outcome 
may have a close relationship with the characteristics of games. According to 
the literature, one of the most well-known characteristics is the freedom to fail. 
This approach reduces the fear of failure in learners’ experiment process and 
also resulted positively in student engagement [8]. Besides, the ability to provide 
frequent and immediate feedback could be beneficial [9], considering the practi- 
cal restrictions in providing frequent feedback in a classroom setting. Lastly, it 
also allows adjusting learning activities based on the progression of individual 
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learners, which is known as a Dynamic Difficulty Adjustment system [5]. These 
characteristics are often discussed as the major benefits of using gamification in 
education. 


3 Dynamic Difficulty Adjustment (DDA) 


Much research has been done that points to the fact that computer-based learn- 
ing is highly effective in comparison to traditional learning and that too from 
a very initial stage from an individual’s learning and development [10]. Yien et 
al. [11] provides an experimental group of sixth-grade students with a game- 
based learning curriculum and establishes that it was more effective than the 
traditional learning curriculum. 

Wang and Chen [12] highlighted a fundamental distinction between perfor- 
mance and engagement. According to their research, individuals performed bet- 
ter when they were initially given a game to clarify their concept, followed by a 
challenge game. However, they showed less engagement or flow as described by 
Mihaly Csikszentmihalyi [2]. The primary reason could be that participants were 
asked initial concept clarification questions that required them to differentiate 
between important concepts and point out examples that might digress indi- 
viduals from the immersive experience and cause boredom. Therefore, it seems 
crucial to find the right balance between performance and engagement while 
developing computer-based learning platforms. 

Research supporting computer-based learning has been carried out in recent 
times. However, the purpose of our study was to go one step further than that 
and apply Dynamic Difficulty Adjustment to computer-based learning platforms. 
Most of the research done in Dynamic Difficulty Adjustment has focused on mul- 
tiplayer games. However, research is now also being done to apply DDA to seri- 
ous games [13]. Serious games are games that are not designed for entertainment 
purposes but for the education of other means. In both scenarios, most of the 
difficulty ‘adjustment’ revolves around the modification of specific parameters 
and game scenarios to ensure that the players do not get bored or frustrated 
while playing the game [14]. Our research is the first of its kind as we aim to 
apply DDA on purely educational platforms to be used in higher education. 

Besides ensuring that users do not get disengaged from the tasks, research has 
also been conducted to show that DDA techniques can assess the users’ current 
state and adapt to improve performance. This feature helps students maximize 
their work productivity as well [15]. Despite all these qualitative experiments, it 
has also been claimed that player expertise has a considerable influence on the 
perception of the level of difficulty [14]. There were promising results concerning 
adaptive educational games adjusting their features such as task difficulty, object 
speed and learning content according to the current state of the player [13,16]. In 
research conducted by DDA, systems can also be used to facilitate the transition 
of users from novice to expert [17]. 

One study has shown that while using DDA in gaming, an AI runtime module 
called the Experience Engine can dynamically create activities that are actively 
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allocated to the players to ensure that the aims of the author or teacher are 
fulfilled. The individual’s profile includes various features, which include his 
level of skill, task type preferences, skill needs and preferences, learning styles 
needs/preferences [13]. For all these reasons and others, DDA is seen to provide 
personalized learning for the participants. Ung, Meriaudeau and Tang [15] aim- 
ing to improve the outcome as shown in Fig. 2. Furthermore, it has been reported 
in research that this also improves the experience for the players to get quicker 
performance gains and get the feeling of being in greater control when DDA is 
used to match their skill level [18]. 

Another school of thought has tried to assess the participants based on 
their mental state rather than their performance. This approach showed a more 
remarkable improvement in the performance of the participants. They seemed to 
be more immersed in the challenge [10,19] tries to study when to trigger DDA in 
a third-person shooter game and used a unique approach of measuring players’ 
excitement level using an Emotiv EPOC headset to read electroencephalography 
(EEG). If the level of excitement drops down under a certain threshold, DDA is 
activated to mitigate the problem. This method addresses degraded game expe- 
rience and uses a proxy for excitement level than a performance scoring level. 

Ung, Meriaudeau and Tang [15] in their research proposes the design and sub- 
sequent application of a functional near-infrared spectroscopy (f{NIRS)—dynamic 
difficulty adjustment (DDA) system. Their experiment has a total of 25 partici- 
pants that undergo a control session with Fixed Difficulty Training (FDT) and 
one with the Neurofeedback Training (NFT) that uses the DDA system. The 
result showed considerable improvement using the DDA backed system. All of 
the above researches have opened an avenue for DDA to be used in alleviat- 
ing medical disorders. This idea can be seen in one research that has claimed 
that DDA can play a potential role in several fields, including treating cogni- 
tive mental disorders such as Attention Deficit Hyperactivity Disorder (ADHD) 
[21]. They use Visio-haptic training with DDA as they claim that it is the most 
effective in attention training. 

When we talk about educational assessment, we see that the personalization 
brought by DDA can help mitigate the problem of plagiarism as well [22]. 

Much research has been done to conclude the most viable and effective way of 
measuring how difficult the task is for the individual. For example, a “Challenge 
Function” and “Evaluation function” are two concepts introduced in research 
by [14]. The functions use various quantitative information from the players 
and assess the game state and the player’s skill level and perform the right 
adjustments that suit the suitable abilities. Therefore, using heuristic functions 
is very common in assessing the skill level of participants. 

On the other hand, some people believe that difficulty adjustments are 
required when the individual is mentally fatigued rather than his skill level 
not being up to the mark. The research assesses that the drop in oxygenation 
level in subjects might indicate mental fatigue leading to the participant being 
less engaged in the task at hand. In contrast, the oxygenation levels remained 
almost constant by NFT subjects throughout the experiment. This finding 
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suggests that the proposed f{NIRS-DDA system aided the participants in avoiding 
mental fatigue [15]. 

Bayesian statistics may be used to dynamically predict or evaluate the diffi- 
culty of specific tasks using the participants’ performance measure. Such proba- 
bilistic techniques are more commonly applied in multiplayer games, which are 
mainly stats-based in nature. A neural network, k-nearest neighbours’ algorithm 
linear and nonlinear regression are other standard models used to assess indi- 
vidual skill levels and future states [20]. All these models aim to predict players’ 
current state and make necessary parameter adjustments to keep individuals in 
engaging interaction loops for a required amount of time. 

While it has potential benefits, DDA does not come cheaply. Ultimately, 
DDA IA systems tend to take control away from the author and give it to the 
algorithm [20]. [4] does highlight the need for several trials of user performance 
to predict with accuracy; however, other research claims that since we are just 
aiming for the best fit of the given current information, several trials may not 
be necessary. 


Fig. 2. An example on how DDA is applied to maximise the final outcome of a test. 


4 Research Methods 


In creating Tuneln, we wanted to make sure that we would be able to test our 
assumptions; 


— Assumption 1: that a study path tailored to keep the student in the flow zone 
(DDA student) will improve their performance, especially in the amount of 
content absorbed. 

— Assumption 2: Students using the standard method (STD students) will score, 
overall, less than DDA students. 


To run the test, we selected a pool of 500 questions and problems from a Lin- 
ear Algebra class divided into five levels of difficulty (division already provided 
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by the book used to gather the test questions). To this end, we run a randomised, 
double-blind trial which we carried out through an app. The test consisted of a 
pool of 20 questions with a time limit of 2 min for every question. Every time 
a new student takes the test, the app chooses behind the scenes whether to use 
the DDA mechanism or not. 

The app in DDA mode presents questions of varying difficulty, depending 
on the student’s current level. While the DDA mechanism is not chosen, the 
question is generated using a pattern from 1-5. The level is chosen randomly 
with an equal distribution of difficulty to prevent the student from facing a test 
with only hard questions or easy questions. The result will be a random selection 
of 4 questions per level (that leads to 20 questions in total). 

To run the test and evaluate whether the DDA mode is more efficient than 
the random picking of the questions, we used two different models of DDA. A 
simpler one based on mathematics operations (called MathDDA) and a different 
approach based on Reinforcement Learning (called RLDDA). 


4.1 MathDDA 


In MathDDA, the level always starts at 1. It is updated depending on whether 
the last questions were answered correctly or not. Each correct answer increases 
the updated level by L, while each mistake decreases it by z. The two numbers 
differ, reflecting that a wrong answer is not intended to be a punishment. 

The current level (the level of the question the user will face) during the test 
is the result of the following formula: 


Y = round(updatedlevel) (1) 


4.2 RLDDA 


On the other hand, RLDDA is based on a DQN feed-forward Neural Network 
and a custom reward function to extract the best outcome from the student. 

The basic concept of this model is to train a network based on a Q-Learning 
algorithm to automatically select the following question with the final aim to 
maximize the student grade. 

At the heart of Q-Learning is the function Q(s, a), which gives the discounted 
value of taking an action a in a state s. This value is equal to the reward for 
taking a specific action a in a state s plus a discounted value for all the future 
states in which the agent will end up. Shortly is the value of picking the optimal 
action in a specific state, represented by the formula: 


Q(s,a) = r +y max, (Q(s',a')) 


The goal of this approach is to find the optimal policy that maximises the 
reward function: 


T(S) = argmax, (Qs, a)) 


236 A. Bonti et al. 


Where z(s) is the policy at state s in order to let the student achieve the 
highest possible score compared to his current level. 

The reward function has to reward the model whether the student answers 
correctly and punish it if the answer is wrong, meaning that the model has picked 
the wrong question’s level so that the student can achieve the highest possible 
score. To prevent the model from converging to a local minimum presenting only 
low-level questions to maximize its reward, the higher the question’s level, the 
higher the reward/punishment has to be. As a normal Reinforcement Learning 
approach, the model has to have an observation space (state) and an action 
space described below. 


State. The state provided to the DQN network is an array with the following 
elements: 


— Level of the previous question (from 1 to 5). 

— Question index (e.g., 4 if is the fifth question). 

— Number of correct answers. 

— Number of wrong answers. 

— Total reward achieved from the beginning of the test (that has to be also an 
input since it represents an estimator of the level of the student). 


Observation Space. On the other hand, the actions space is a set of 3 actions: 


— 0 for decreasing the level of —1 compared to the previous question. 
— 1 for increasing the level of +1 compared to the previous question. 
— 2 for keeping the level the same as the previous question. 


Network Structure. The network structure, as shown in Fig. 3, is composed 
of an input layer with 5 nodes, 2 fully connected hidden layers with 12 nodes 
each and an output layer with 3 nodes. This last layer will be responsible for 
output the estimated Q-value for the 3 different actions that the network can 
perform. 


Reward System. In order to provide an evaluator that the network can use to 
assess the quality of its own decision, a simple reward function is implemented. 
This reward function aims to direct the network toward its absolute minimum, 
providing every action with a score (reward/punishment system). The only net- 
work objective is to maximize in the long run the value of the reward. 

The reward in this experiment is a score corresponding to the coefficient of 
the question provided (coefficient based on the level), where the sign is positive if 
the answer is right (reward) and is negative if the sign is negative (punishment). 
The coefficient is described as follows: level 1: 0.5, level 2: 0.6, level 3: 0.7, level 
4: 0.85, level 5: 1.0. 
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4.3 Application Flow 


As shown in Fig. 4, the application developed randomly assigns every user to the 
selected group and then performs the final assessment on the result. Although 
simple, the application developed is fully functional and was offered as a service. 
The participants were chosen from a cohort of people of both genders, between 
18 and 23 years of age. All participants have at least completed high school, 
currently enrolled in a scientific course of a university (to guarantee that all 
the students used had already covered the fundamentals of Linear Algebra). 
Coming from a university background and thinking about future adoption, we 
have strategically decided to look into that part of the education world that is 
faster at implementing than others, so we picked the university target among 
others. 


5 Preliminary Findings 


After conducting our pilot experiment, we cleaned our data. We had a sample of 
the 99 students who completed their assessment equally split into three groups, 
each assigned to an approach. Every cluster of 33 students performed the test 
similarly, with the same time constraint differing only by the algorithm that 
picked the questions. 

As shown in Fig.5, the Random approach led to an average of 46 points 
compared to 54 and 57 of the MathDDA and RLDDA. So, the DDA approach 
is beneficial for the students’ outcomes. 


RLDDA 


Random Approach 


0 10 20 30 40 50 60 


Fig. 5. Visual representation of the final score in the three groups. 


The second observation was that the DDA-backed cohort attempted more 
questions than the control group (8% more on average). The control group 
attempted fewer questions or even dropped out of the assessments more fre- 
quently. The main explanation could be that the students attempting their 
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assessment on the DDA platform felt more engaged and confident. With DDA, 
the students never faced questions significantly too tricky compared to their 
actual level. 
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Fig. 6. Visual representation of the average time spent per question in the three groups. 


Finally, it was also noteworthy that the DDA groups were spending less time 
on each question on average, with 31 and 32s of MathDDA and RLDDA com- 
pared to 34s of the random approach, as shown in Fig. 6. Possible explanations 
for that fall in line with the flow theory of learning. The student is more engaged 
and performs much better on the dynamic platform, adjusting the difficulty of 
questions and ensuring that the student remains within the flow channel. 


6 Discussion 


This paper has revealed some interesting insights that are bound to become the 
foundation for much more extensive exploration. The few elements that we have 
used and the assumptions we have brought forward were proven correct within 
the limitation of our experiment. The outcomes were relatively straightforward, 
limiting our current phase to simple validation. 

From an early experiment, we showed how a DDA approach could improve 
student performance, shaping the test to its specific knowledge level and making 
him comfortable with the test level. Given that the user usually never faces 
a question too difficult by orders of magnitude, We strongly believe that the 
psychological factor is the key to keeping him focused on the test and confident 
about his knowledge. 


7 Limitations and Future Research 


There are several limitations to this study. Firstly, the sample size of this study 
is limited because it is only based on the first phase of data collection. Besides, 
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data collection is only focused on capturing time and levels; we did not have 
information specific to individuals in our cohorts, but only the general infor- 
mation. Given the limitations, this research will be extended to gather another 
phase of data collection to test student engagement and performance and iden- 
tify critical factors/features that play an essential role in shaping the student’s 
experience of using the platform. 

In the future, we will include more concise information about our participants 
to fine-tune the difficulty levels. We will also explore different topics beyond 
mathematics to verify whether or not the theory still proves correct in non-stem 
subjects. 
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Abstract. In recent years, several blockchain-based access control mod- 
els have been emerged to give individuals control over their sensitive 
Electronic Medical Records (EMRs) in the healthcare sector. From our 
extensive literature review, we observe that currently, these models have 
no provision of prioritising the emergency transactions. This critically 
affects the quick and streamline sharing of EMRs in a multi-domain net- 
work environment. Further, it restricts the optimal usage of blockchain 
network affecting scalability. Sharding has arisen as a viable option for 
addressing the issue of blockchain’s scalability and performance. Moti- 
vated from this, in this paper, we first propose prioritised sharding (P- 
sharding), a novel mechanism to streamline the processing of priority 
or emergency transactions in blockchain-based access control models 
by improving the throughput of each prioritised shard, in the context 
of multi-domain healthcare networks. Finally, the performance of the 
model is verified, validated, and also compared with the existing shard- 
ing mechanism. The obtained results are promising and encourage to 
further sparkle this direction. 


Keywords: Blockchain-based access model · Electronic medical 
records - Healthcare - Priority transactions - Scalability - Sharding 


1 Introduction 


Blockchain technology is defined as a peer-to-peer decentralised network having 
distributed ledger of transactions. The network of nodes validates the trans- 
actions using cryptography means solving a mathematical puzzle via mining. 
With its secure features, blockchain has found many applications in various sec- 
tors ranging from financial services, supply chain, insurance to healthcare. Our 
research primarily focuses on the healthcare domain. There exists highly sensi- 
tive Electronic Medical Records (EMRs) need to securely access and streamline 
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sharing among healthcare professionals working in multi-domain healthcare facil- 
ities. EMRs are conventionally recorded in cloud-based health repositories, with 
the strategic initiatives of data sharing across different registries. However, it 
constitutes a very high privacy risk of a security breach to occur posing a major 
challenge for the digital trust in e-Health where storing, accessing, and exchang- 
ing sensitive patient-related data must comply with several regulations, while 
remaining accessible to authorized health practitioners [1]. Cloud-based access 
control models [2,3] validate the access right through a centralized entity suffer 
a single point of failure. 

Healthcare is one of the domains with the biggest investment in blockchain 
technology due to its secure transaction processing to transfer sensitive EMR. 
Decentralised blockchain technology provides a solution to make the medical 
data secure, achieves patient-eccentricity, and makes it accessible across the 
health departments. In recent years, many blockchain-based access control mech- 
anisms have been proposed for EMRs. All these models rule out the validation 
of access rights by a centralised server. An architecture for scalable access man- 
agement has been proposed in Internet of Things (IoT) context [4]. Some other 
methodologies for managing medical records have been proposed in [5] and [6] 
using smart contracts |7] considering the issue of interoperability and making 
their system more compatible. In [8], the authors have developed an access con- 
trol framework based on smart contract, which is built on the top of distributed 
ledger, to secure the sharing of EMRs among different entities involved in the 
smart healthcare system. 

However, during our study, we identified that among healthcare data, not 
all are of equal importance, they have different service requirements on the 
blockchain-based access model. Emergency EMRs need to get processed faster as 
per their priority in the access control mechanism which the current blockchain 
is not fully capable to do unless for high transaction fees. In existing blockchain 
systems, all the transactions are considered evenly and processed as First-In- 
First-Out (FIFO) invariant of the type of consensus used. We believe that a) it 
does not only restricts the optimal usage of blockchain’s capacity but also selfish 
(malicious) validators can flood the network with less important transactions 
preventing emergency transactions from being processed in a timely manner, b) 
without prioritising the emergency transactions, fatal loss incurs to the patients 
and hospitals as it hinders the real-time access of patient’s EMR in Emergency 
Medical Services (EMS), c) finally, to optimize OPEX and CAPEX, EMS have 
to consider the prioritised transactions prior than the regular ones. Some early 
attempts have been made by [9,10] to analyse the performance of blockchains in 
the context of scalability without the provision of transaction prioritisation. 

To the best of our knowledge, none of the existing blockchain-based access 
models have the provision of prioritising the emergency transactions which even- 
tually restrict them to get scaled [11,12]. Since existing blockchain platforms like 
Bitcoin [13], and Ethereum [14] only process limited rate of transactions per sec- 
ond (tps) in FIFO manner leading to the increased overall latency. It takes longer 
time for emergency transactions to get fetched from the memory pool because 
there is no provision for prioritized scheduling. Hence it cannot be immediately 
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applied to the healthcare system in its present state. It is of utmost importance to 
tackle these challenges before commercially integrating blockchain-based access 
control into the healthcare system. A blockchain-based healthcare system can 
be optimized in terms of scalability in the following ways to handle a growing 
number of EMR transactions, a) reducing the communication and computation 
overhead; b) adding resources to a single node, i.e., vertical scaling; and c) adding 
more nodes to the blockchain, i.e., horizontal scaling, which include the concept 
of sharding. 

In order to add this provision, we are among the early ones to propose a 
novel mechanism named priority sharding (P-sharding), fundamentally based 
on the sharding principle, to prioritise the processing of emergency transactions 
by applying tags to EMR transactions in blockchain-based access control models. 
The key idea behind P-sharding is to automatically divide the available computa- 
tional resources into smaller groups or committees, each processing a prioritised 
sharded block containing a set of emergency EMRs. The major contribution of P- 
sharding is to process the transactions faster and alleviate the scalability issues. 
In sharding [15], data is broken into different shards and instead of all nodes ver- 
ifying the entire data individually, they verify one shard each side-by-side. The 
amount of time is saved exponentially through sharding [16]. In this paper, we 
have applied prioritised sharding on Ethereum-based permissioned blockchain!. 
We take advantage of sharding concept and with our analysis, we observe that 
the prioritisation of transactions directly impacts the scalability of the system. 
Hence, our model of P-sharding prioritises the emergency transactions and pro- 
cesses them faster contributing to the development of a streamlined and scalable 
system. The main contributions of our paper are highlighted as follows. 


1. We propose the first-ever novel approach of prioritisation in sharded 
blockchain to process emergency transactions faster as per their priority. This 
improves the processing rate of prioritised emergency transactions drastically. 

2. We simulate our proposed approach through permissioned blockchain in a 
controlled environment. Evaluation results signify that our model is scalable 
and efficient to achieve priority-based weighted fair queuing using a proba- 
bilistic approach. 

3. We identify a significant use-case of the above contribution in the healthcare 
sector to have scalable and efficient blockchain-based access control. 


The remaining of this paper is organized as follows. Section2 gives an 
overview of the related works. In Sect.3, we introduce our proposed P-sharding 
model and provide the details. In Sect. 4, the implementation and performance 
analysis are given. Finally, this paper is concluded in Sect. 5 and provides further 
discussion. 


1 https: //github.com /ethereum/sharding. 
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2 Preliminaries 


Before we provide in depth details of P-sharding, in this section we show a 
typical behavior of blockchain-based access control models. We observe that 
workflow of the majority of these models [4-8] is relatively the same. Based on 
this observation, now we present a high-level generic blockchain-based access 
control framework, as shown in Fig. 1. 
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Fig. 1. High level illustration of blockchain-based access control framework. 


2.1 Blockchain-Based Access Control Mechanism 


There are mainly four entities involved in the blockchain-based access control 
models. Here, we discuss the functionality of each sub-module as below. 


— Users with DApp. It is a decentralised web application used by front-end 
users to render the blockchain-based access control application. It contains 
peer decision makers, rules, and policies scripted in a specific language (Solid- 
ity, Vyper etc.) about how the peers are allowed to access information [17]. 
The interface between users and DApp is mainly via JavaScript Application 
Programming Interface (API) to establish communication with the blockchain 
network. It contains a wallet that manages the cryptographic keys and keeps 
a record of blockchain addresses. A user sends an access request through the 
DApp. In DApps, users can directly send requests and access data without a 
single server controlling it like in client-server model. Once the user has sent 
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the request through DApp, it cannot be tampered or deleted. This leads to 
secure and open governance. DApps offers various applications in healthcare, 
financial sectors, gaming, supply chain etc. 

— Blockchain network. After the user sends the access request, it is broad- 
casted among each peer in the blockchain network. Then, the network of nodes 
verifies the legitimacy of access requests based on a consensus mechanism. 
The transactions are cryptographically signed and appended on the main 
chain after the consensus. Blockchain consensus can be broadly classified into 
Proof-based and Vote-based. Proof-based consensus are fully decentralised 
and permissionless. They elect a leader by introducing a game approach to 
propose a final block value. For example, cryptocurrencies like Bitcoin and 
Ethereum utilise Proof of Work (PoW) consensus where miners with vary- 
ing computational power compete against each other to solve a mathematical 
puzzle to confirm transactions on the blockchain network, and the miner with 
sufficient proof gets rewarded. Other such consensus are Proof of Stake (PoS) 
[18], Delegated Proof of Stake (DPoS) [19], etc. They are hard to scale with 
the growing number of nodes across the network [20]. While the vote-based 
consensus are simpler than the proof-based as they achieve consensus based 
on the round of votes. Byzantine fault-tolerant (BFT) consensus protocols are 
among the vote-based consensus such as Practical Byzantine fault-tolerance 
(PBFT) [21]. These consensus protocols have high performance but the degree 
of decentralisation is low. Due to decentralised consensus, blockchain achieves 
a great level of security. Blockchain network also famously called distributed 
ledger technology (DLT) records and replicates the transactions across each 
node. It provides ledger and smart contract or chain code services to vari- 
ous applications. It records the provenance of a digital asset in a distributed, 
shared, and immutable ledger. The blockchain network operates across a peer- 
to-peer network of computers without a central authority or intermediary. 

— Access control policies. Each peer in the system has a list of Access Con- 
trol Policies (ACPs) constituting access agreements between the data owner 
and data requester. In a blockchain-based system, the involved entities define 
the access control policies in the smart contract and manage access. Smart 
contract-based ACPs check any kind of misconduct, time of last request 
(ToLR), etc. and grants access permission to the requester. It also revokes 
access control in case of any misconduct. The smart contract-based access 
policies are not only decentralised but also self-executable. It eliminates the 
threat of any internal or external attack due to the SSL certificates located 
at each node rather than using the traditional passwords. Multiple smart 
contract-based access policies have been proposed for Internet of Things (IoT) 
systems to achieve distributed and trustworthy access control [22]. 

— Data storage. As blockchain is a distributed system, data is stored in com- 
puters or nodes across the whole network. Each of these nodes contains a 
copy of the blockchain ledger. In blockchain-based access control, data can 
be stored inside or outside the blockchain. Considering the limited block size 
of the blockchain, some of the existing frameworks come up with the idea 
of storing data in the cloud while their corresponding hash is packed into 
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the blockchain. Various existing blockchain platforms have different ways of 
storing data. For example, Ethereum stores the transaction data in trie only 
when the transaction is confirmed. Corda [23] uses the concept of states to 
store data rather than broadcasting to each peer, while Hyperledger [24] uses 
LevelDB and CouchDB to store the state data. The whole process of data 
storage can take anywhere ranging from few minutes to hours depending on 
the congestion in the network. 


The bottleneck in the existing [4-6] and our proposed smart contract-based 
access control model [8] is the slower transaction processing rate for emergency 
or priority EMR transactions due to the FIFO scheduling, despite having higher 
importance. In next subsection, we will explain the issue of scalability in detail 
to get an insight to understand and analyse the performance and scalability of 
blockchain-based access models. 


2.2 Scalability and Performance Issue 


Blockchain networks such as Bitcoin avoid the double-spending problem through 
the consensus protocols where each transaction is recorded and validated 
by every node on the chain. This ensures transparency, data integrity, and 
immutability in a decentralised blockchain environment. But, it restricts the 
scalability as current blockchain systems can process only a few transactions per 
second. It is mainly affected by key factors, i.e., block mining rate, transaction 
processing, and waiting time of the transaction in the queue to get processed. 
This needs to be addressed before blockchain is adopted in real-time systems 
such as smart healthcare [4]. Blockchain network deals with the mining conges- 
tion because of higher transaction generation rate than the transaction process- 
ing rate, leading to a longer waiting time for the transaction to get mined. We 
emphasis that none of the given access models have the provision to process 
the prioritised transactions or access requests faster and they do not consider 
the allocation of adequate resources (resource fairness). This factor is of utmost 
importance and hence cannot be ignored in terms of increasing scalability [25] 
or optimizing the blockchain network resources. Some of the solutions proposed 
to address this challenge are a) Off-chain solutions, b) Directed Acyclic Graph 
(DAG), c) Sharding. 


1. Off-chain: This approach to tackle scalability in the blockchain network is to 
store transaction-related data in the local nodes, which are often referred to 
as off-chain [26]. These local nodes only send a summary or outcome of the 
transactions to the main chain. Another such solution is creating a network 
of micro-payment channels to instantly confirm a payment transaction [27]. 
Such off-chain solutions cannot guarantee the validity or legitimacy of off- 
chain transactions. To tackle that, often validator nodes are introduced to 
endorse the transactions but still, the validity is compromised due to the 
centralisation. 
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2. Directed Acyclic Graph: Another approach is to design blockchain as Directed 
Acyclic Graph (DAG) network [28,29], where each transaction is linked to 
multiple transactions rather than the blocks. Theoretically, the higher, the 
volume of transactions, the faster a DAG network can validate them. 

3. Sharding: Sharding has been extensively explored in the distributed database 
systems to alleviate scalability and performance. Database sharding refers 
to the horizontal partitioning that splits large databases into smaller chunks 
called shards across multiple servers. 


To address scalability problems in conventional blockchain, many blockchain 
sharding protocols have been introduced. In the standard blockchain sharding, 
the entire blockchain’s state is broken into shards that contain their indepen- 
dent history of state and transaction. Omniledger is among the earliest work 
conducted to achieve high Visa-level performance in distributed ledgers through 
parallel intra-shard transaction processing [30]. It introduces a cross-shard pro- 
tocol to handle transactions affecting multiple shards. Optchain [31] seeks to 
enhance the placement of transactions in order to minimize the adverse effect of 
cross-shard transactions on the efficiency of existing sharding proposals. It has 
implemented the temporal fitness score to measure the probability of transaction 
should be placed into the shard without causing further cross-shard transac- 
tions. However, these sharding techniques enhance scalability by compromising 
the very core properties of blockchain i.e. decentralisation. Spontaneous sharding 
has been suggested as a solution where transactions are sharded by the nature 
of the value transfer system [32]. With each value, a proof is associated that 
grows with the number of nodes passing. Hence, to keep the transmission costs 
low, nodes would prefer to keep the transaction in smaller shards than the entire 
network. It does, however, bring out the downside of low storage capacity. 


3 P-sharding: Proposed Framework 


In this section, we propose and discuss our novel framework to prioritise and effi- 
ciently process emergency transactions in blockchain-based access control mech- 
anisms in smart healthcare. We name this model P-sharding and explain it as 
follows in detail. 

Our proposed model of P-sharding introduces the priority in the sharding 
mechanism proposed by Ethereum. In this methodology, the transaction is split 
up among smaller groups of nodes based on the prioritised data, to get vali- 
dated. Using the assumption that only trauma and emergency departments of 
any hospital can put priority tag to the EMR transactions. And the emergency 
EMR transactions get accumulated in the memory pool. The idea behind the 
P-sharding is illustrated in Fig.2. The detailed step-wise workflow sequence is 
given below. 


1. Transactions are grouped in the memory pool as they arrive in the system. 
In every mining iteration, the blockchain is divided into shards. The number 
of shards which is the length of the transaction array is divided according to 
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two factors: (a) the transactions load and (b) the number of validators in the 
network. Then the transactions are randomly divided among all the shards 
and get collected into their respective sub-block. Each of the shards has its 
own ledger. These shards process and store a disjoint set of transactions. 
Validator nodes are randomly assigned to each shard. 

2. The transactions with priority are then chosen from the sub-block based on 
their priority tag. The tag with 0 indicates a non-priority transaction, while 1 
represents a transaction of priority. In our proposed model, the transactions 
are then sequenced as per the priority and held in the respective priority and 
non-priority mining queues based on FIFO. 

3. After sequencing, the randomly selected validators in the network verify the 
prioritised transactions by allocating their resources prior to the non-priority 
transactions. 

4. Finally, the verified block is generated and added into the sharded blockchain. 
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Fig. 2. Proposed P-sharding model. 


Since the sharded blockchain has multiple shards, these emergency transac- 
tions spend least amount of time to fetch from the memory pool. This results in 
faster transaction processing and helps in the development of an efficient access 
control mechanism. Table 1 depicts the structure of the proposed P-shard in 
which a transaction group is divided into two parts: a) transaction group header 
and b) transaction group body. The transaction group header is further divided 
into two sections. The left section is as follows: 
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— Shard ID. Every transaction specifies the ID of the shard it belongs to. 

— Pre-state root. It represents the state of the root of the shard before the 
transaction is registered. 

— Priority score. It is the total count of priority transactions in a block. Our 
aim of adding a priority score is to reduce the response time and maintain 
the service quality for the priority transactions. 

— Post-state root. It shows the state of the root of the shard after the registration 
of transactions. 

— Receipt root. It is generated after all the transactions in the shard are regis- 
tered. It facilitates the cross shard-communication. 


While the right part of the transaction group header consists of random 
validators. They are randomly chosen and responsible to verify the transactions 
in the shard. And transaction group payload has all the transaction IDs in the 
shard itself. Each transaction has a field of priority tag of 0 or 1 that represents 
its non-priority and priority state respectively. 


Table 1. Structure of P-shard. 


Transaction group header 


Shard ID: 23 <sig #3256> <sig #4672> 
Pre state root: 142c3dfg | <sig #7089> <sig #8796> 
Priority score: 6 <sig #4351> <sig #2317> 
Post state root: 567819ab | <sig #£2356> <sig #6451> 
Receipt root: ca4567f7 <sig #1254> <sig ##2478> 


Transaction group payload 
Tx a142; PriorityTag:1 Tx a674; PriorityTag:1 Tx a542; PriorityTag:1 
Tx a231; PriorityTag:1 Tx a892; PriorityTag:1 Tx a902; PriorityTag:1 
Tx a256; PriorityTag:0 | Tx a353; PriorityTag:0 | Tx a762; PriorityTag:0 


Based on the queuing theory principle [33], the incoming shards follow Pois- 
son distribution. Upon arrival, each shard is either in the priority queue with 
a mean arrival rate of Ap or in non-priority queue with Anp such that the total 
rate is 

A = Ap + Anp (1) 


It is important to notice that the waiting time of the non-priority transactions 
in the queue is longer than priority transactions, typically depends on the number 
of transactions waiting to get processed in the priority queue ahead of non- 


priority queue, such that 
u 
Wrg = g-a e (2) 
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where p is the average processing time of the validators, W,, and Wng are the 
average waiting time of the transaction in the priority and non-priority queue 
respectively. General equations for our model where priority transactions are 
served at the rate j41 and non-priority transactions are served at u are as below: 


Olas Ap Awl + (Anp/A) (Ht /H3) (3) 
Hı 1- Ap/ Hı 
Anp/ Ha joel + (Anp/A) (4/43) (4) 
1— p/p 1 = Ap/ta — Anp/ H2 
where QLpq and QLng are respective mean queue lengths of prioritised and 
non-prioritised queue. Total utilization or % system busy time is given by 


QLing = 


Hı H2 


Anp — A _ Apt Anp 
Hı H2 Hı Hı 


(6) 


Both the priority and non-priority mining queues in our P-sharding model 
preserve non-preemptive scheduling within due to the cases of conflict between 
transactions of the same priority. The transaction that goes to the head of the 
shard deemed valid and served first. Non-preemptive priority scheduling is time 
saving also. Our system is based on the following assumptions. 


— Priority and non-priority mining queues are kept of infinite buffer capacity (B) 
to avoid transactions being discarded in order to maintain Quality-of-Service 
(QoS). 

— In our simulations, we keep all validators of the same capacity for fair play. 
Although the above assumptions might not be realistic and we will work on 
this in our future research as queuing is another research domain. 


The process of sharding of prioritized blocks containing priority transactions 
is explained in Algorithm 1. 


4 Implementation and Performance Analysis 


In this section, we present the implementation setup and analysis of our simu- 
lated results. 
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Algorithm 1. P-sharding: prioritised sharding 


Input: Transactions (Tx), No of validators, Capacity of each shard, Minimum val- 
idators per shard, Previous block hash, No. of transactions in memory pool, Current 
state 

Required: Queue capacity, Priority tag, Arrival rate of transactions (Xp,Anp), Service 
time (ts) 

Output: Minedblocks == (Mp), Priority score (PS), Departure time from queue (ta) 


1. Set PriorityTx Arrival rate—2p, Non-PriorityTx Arrival rate— Anp 

Set Priority MiningQueue capacity>B, Set NonPriority MiningQueue 
capacity— B 

3. Set Validators— Mr 

4. Set Minimum validators per Sharded Block— Msp 

5. Set Maximum Sharded Block— Sx 

6. Current state— Cst 
7 
8 


ae 


. Memorypool— transactions(Tx), SeruTime(ts)—Start 
. Current state— Cst ++ 

9. AriTime— ta, priority tag— 1// 0 

10. If (Tx —priority tag[1]) 


12. tap1,t&p2,ttp3... -tlpn =:tx 

13. Priority MiningQueue —ttp1,tip2,tap3... .t&pn 

14. } 

15. else 

16. { 

LT: tanp1,tinp2,tinp3....tirpn =:tx 

18. NonPriority MiningQueue— tinpi,tinp2,tinp3....t&nrpn 

19. } 

20. ts—end 

21. Result— (Mp) tapi + t£p2 `- + tlpn: + ttnpn, 
PS = count(txp), DepTime(ta) — ta + ts 


4.1 Simulation Setup 


We simulate our model on Python in a controlled permissioned blockchain 
environment. The study designed a blockchain scenario by creating multiple 
Ethereum virtual nodes on each device with configuration of Lenovo ThinkCen- 
tre, Intel(R)CoreTM i5-7500 CPU @3.40 GHz, Windows 10 Enterprise, 64-bit, 
16 GB. It mainly aims to measure and compare the overhead of the existing 
sharding approach [15] and our proposed prioritised sharding model. 

Our model consists of a source station: transactions, one queuing station: 
memory pool, a fork station: P-sharding, two sets of queues: priority mining 
queue and non-priority mining queue, one join station, and a sink station: dis- 
charge block as shown in Fig. 3. The arrival rate for the transactions source sta- 
tion is generated randomly. The memory pool is modeled using M/M/1 where 
the arrival of transactions is Poisson distributed, service time is exponentially 
distributed, and the number of server is one. While on the other hand, mining 
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pool is modeled as M/M/c since, in reality, several validators compete in parallel 
to solve a single block of puzzle. The fork station named P-sharding splits the 
transactions based on their priority tag. This station is used to achieve fast pro- 
cessing and reduce the service time of transactions in the mining pool. This task 
is synchronized and forwarded for processing in the priority and non-priority 
mining queue respectively. After all these tasks are processed and completed, 
they are joined again to dispatch the final blocks to the blockchain network. 


Sct 


E Priority 
pw / \ / EN pm 
Tx H { 4 MiningQueue | 4 ( y 


7 i Discharge 
Transactions Memory Pool P-Sharding Join Blocks 


o> | |} 


Non-Priority 
Mining Queue 


Fig. 3. Simulation model for P-sharding. 


4.2 Simulated Results 


In this section, we present simulated results of our model and compare them 
with the basic sharding model. We have utilized updated Ethereum? actual 
data parameters to carry out our simulations. The QoS performance metrics 
with proposed P-sharding model and basic sharding are shown in Fig. 4 and 5 
respectively and explained below. 


— Mining queue count after sharding. These are the accumulated sharded trans- 
actions that are waiting in queue to get mined. 

e Priority mining queue count after sharding. Due to the probabilistic app- 
roach, the priority mining queue has more priority transactions than the 
non-priority mining queue. In Ethereum simulation, the average prior- 
ity mining queue count comes out 0.5772, which improves significantly 
as compared to the basic sharding where all transactions are considered 
evenly irrespective of their priority as shown in Fig. 4(a), 5(a) respectively. 

e Non-priority mining queue count after sharding. The average non-priority 
mining queue count comes out to be 0.3837 in Fig. 4(a). 

— Response time. It is the average mining time of a shard, or mining time of 
both priority and non-priority mining queue which is almost the same with 
negligible variations due to dynamic arrival and mining rates. In Ethereum, 
both queues have an average of 0.0712(s) simulated mining rate with the 
input or actual mining rate of 0.0714(s) shown in Fig. 4(b) which comes in 
coherence with sharding results in Fig. 5(b). 


? https: //etherscan.io/. 
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— Throughput: The rate at which transactions depart from a mining queue, i.e., 
the number of transactions completed in a unit time depicted in Fig. 4(c). 

e Priority mining queue throughput. Priority mining queue has higher 
throughput. In other words, mining of a prioritised transaction is faster as 
compared to non-priority mining queue. In Ethereum simulation, the aver- 
age throughput in the priority mining queue is 7.9877 tps (refer Fig. 4(c)) 
which is faster than the basic sharding where all the transactions irre- 
spective of their priority are treated the same as shown in Fig. 5(c). 

e Non-priority mining queue throughput. The departure of transactions in 
a non-priority mining queue is comparatively slower. In Ethereum sim- 
ulation, the average throughput in non-priority mining queue is 5.3248 
tps. 

— Utilization. It can be defined as the percentage of time a station is used 
(i.e., busy). It ranges from 0(0%), when the station is idle, to a maximum 
of 1(100%), when the station is constantly busy mining transactions for the 
entire simulation run. The utilization rate with single server S is U = {S and 
subsequently, utilization with m number of servers is U = /S/m where | is 
arrival rate. 

e Priority mining queue utilization. In the priority mining queue, we set up 
three servers (validator nodes) mining three sharded blocks simultane- 
ously with utilization 1.86*107 less than 1 (Fig. 4(d)), which means the 
priority mining queue is not fully occupied. Hence our system achieves 
p* < Ê. In the basic sharding model, the system is congested due to a 
high utilization rate (refer Fig. 5(d)). 


To further validate our model, Table2 shows the comparison between the 
actual and simulated results of basic sharding and our P-sharding model. The 
values indicate the significant improvement in the stated parameters with our 
P-sharding model in comparison with the basic sharding model. 


4.3 Performance Analysis 


In this section, we evaluate the performance of our proposed P-sharding mech- 
anism as shown in Fig. 6 and 7. 


— Latency per number of shards. The latency (or average confirmation time) 
of a transaction is measured by the time the transaction is sent until it is 
committed to the blockchain. It is a significant factor in block propagation 
time. A large number of confirmed sharded blocks will multiply this delay as 
shown in Fig. 6(a). As the latency changes linearly with the increasing number 
of shards and transaction rate. This shows that the two mining queues are 
able to streamline the flow of transactions. 
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Fig. 4. Simulation results of Ethereum real statistics with P-sharding. 


Table 2. Comparison between the simulated results of sharding and proposed P- 


sharding model. 


Parameters Sharding | P-sharding 
Priority-mining | Non-priority 
queue mining queue 
Mining queue count (tx) 1.4359 |0.5772 0.3837 
Response time (sec) 0.0713 | 0.0712 0.0712 
Throughput (tx/sec) 6.4379 = | 7.9877 5.3248 
Utilization 0.00479 | 0.00186 0.00126 


— Latency per transaction rate. We analyze the latency with respect to the rate 
of input transactions in the mining queue i.e. the number of transactions 
coming in unit time for mining. As shown in Fig. 6(b), it increases with the 
increase in input transactions to the mining queue with respect to the increase 


in number of shards. 
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Fig. 5. Simulation results of Ethereum real statistics with sharding. 


Throughput per number of shards. The transaction throughput is the rate at 
which valid transactions are committed by the blockchain at one time, i.e., 
committed at all nodes of the network, usually measured in transactions per 
second. Throughput decreases with an increase in the number of shards and 
input transactions as shown in Fig. 7(a). These results indicate that the pro- 
posed scheme achieves its highest throughput with 16 shards, when running 
with different combinations of transaction rates and number of shards. 
Throughput per transaction rate. The results in Fig. 7(b) show that our pro- 
posed scheme is capable of handling variable transaction rates as the through- 
put changes linearly without lagging. It guarantees that there is no backlog- 
ging or congestion in the system. 


Our idea of prioritised sharding with parallel mining divides the overloaded 


transactions into shards allowing multiple concurrently maintained sub-chains to 


rec 


ord them. In this way, we are able to improve the processing rate of emergency 


transactions significantly while keeping the whole network less congested. This 
eventually improves the scalability of the network. 
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Fig. 7. Performance analysis in terms of throughput. 


5 Conclusion and Further Discussion 


We propose a framework to streamline the processing of prioritised transactions 
in a blockchain-based access model. With our method of prioritised sharding, the 
emergency transactions were divided among smaller shards and mined in parallel. 
This improved the processing rate of prioritised transactions drastically. Also, 
the mining congestion got reduced with our proposed P-sharding model as the 
waiting time for the transaction confirmation time reduces. The QoS improved 
in our proposed P-sharding algorithm in the context of prioritised transactions 
as compared to the existing sharded blockchain. In this paper, the performance 
of a high-level blockchain-based access control model had also been evaluated 
which provided insights about developing a prioritised, scalable, and efficient 
decentralised access control framework for healthcare. The simulation results 
are promising and give valuable insights into our model. 
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However, in certain ways, the model needs a more in-depth evaluation of how 
validators come to a decentralised consensus to select the emergency transactions 
and avoid selfish mining. In real scenario, there exist transactions with varying 
priorities. Therefore, we should include them with and implement the whole sys- 
tem on a larger scale. Further, to enhance interoperability, it is important to 
analyse the work on the cross P-shard communication to efficiently share pri- 
oritised EMRs across different blockchain-based access control models. Another 
challenge is how to join these prioritised sharded transactions and dispatch them 
to the blockchain network in a decentralised manner, which still needs to be 
deeply explored. We welcome the research community to contribute to alleviate 
these issues and explore further challenges in this domain. 
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Abstract. Deep knowledge Tracing is a family of deep learning models 
that aim to predict students’ future correctness of responses for different 
subjects (to indicate whether they have mastered the subjects) based on 
their previous histories of interactions with the subjects. Early deep knowl- 
edge tracing models mostly rely on recurrent neural networks (RNNs) that 
can only learn from a uni-directional context from the response sequences 
during the model training. An alternative for learning from the context 
in both directions from those sequences is to use the bidirectional deep 
learning models. The most recent significant advance in this regard is 
BERT, a transformer-style bidirectional model, which has outperformed 
numerous RNN models on several NLP tasks. Therefore, we apply and 
adapt the BERT model to the deep knowledge tracing task, for which 
we propose the model BiDKT. It is trained under a masked correctness 
recovery task where the model predicts the correctness of a small percent- 
age of randomly masked responses based on their bidirectional context 
in the sequences. We conducted experiments on several real-world knowl- 
edge tracing datasets and show that BiDKT can outperform some of the 
state-of-the-art approaches on predicting the correctness of future student 
responses for some of the datasets. We have also discussed the possible 
reasons why BiDKT has underperformed in certain scenarios. Finally, we 
study the impacts of several key components of BiDKT on its performance. 


Keywords: Educational data mining - Knowledge tracing - BERT 


1 Introduction 


The Intelligent Tutoring System (ITS) aims to provide students with personalised 
learning schemes based on their respective proficiency over different teaching con- 
cepts/subjects to help them achieve better learning outcomes. Hence, the effi- 
cacy of personalisation highly depends on the accurate estimate of students’ profi- 
ciency. The ITS usually requires the students to become sufficiently knowledgeable 
about one concept before allowing them to proceed to study the next concept [23]. 
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Alternatively, it has also attempted to place the questions/exercises in an optimal 
ordering such that students with increasing levels of proficiency can tackle them 
progressively without being discouraged or dropping out from the study [15]. The 
estimates of the student proficiency can also help the ITS monitor the skill devel- 
opment of the students implicitly and meanwhile, give them explicit feedback on 
their performance under different skills/subjects on time [2]. 

A well-known family of approaches that can effectively estimate the student’s 
proficiency is knowledge tracing (KT) [11]. Corbett and Anderson [4] proposed 
the first knowledge tracing model based on Bayesian statistics and inference, 
referred to as the Bayesian knowledge tracing (BKT). It estimates the student’s 
proficiency over different teaching concepts based on a student’s previous history 
of performance on interactive exercises [4]. They proposed that if the model 
could accurately predict students’ future behaviours based on their performance 
history, it can be considered able to capture the students’ proficiency on different 
teaching concepts. They achieved this by modelling the historical performance 
sequences of each student as a Markov process which tracks the students’ learning 
states on each subject as being either mastered or not mastered. The Markov 
process is primarily characterised by 1) a transition probability of the subject 
from being not mastered to mastered, but not vice versa, and 2) conditional 
probabilities of correctness given different states of the mastery. These two sets 
of probabilities are estimated using the Bayesian inference method. 

After this pioneering work, a plethora of research that aimed to extend the 
BKT model had been proposed. For example, Pardos and Heffernan have pro- 
posed to introduce the difficulty of the questions into the BKT model by condi- 
tioning the probabilities of correctness on the specific questions [21]. Yudelson et 
al. proposed to personalise the two sets of probabilities by making them specific 
to each student [29]). These extended models have been shown to improve the 
prediction accuracy on the correctness of responses of the students compared 
to the original BKT model. However, despite the performance improvements, 
these traditional knowledge tracing models are developed under the constraints 
imposed by the Bayesian methods (e.g., the restricted Bayesian update rules 
on the parameters and the difficulty of being scaled up to handle large and 
datasets with longer sequences [8]). As a theoretical result, their performance 
improvements are limited due to the lack of flexibility. 

The advent of deep neural networks granted the ITS a competitive alter- 
native for knowledge tracing. In theory, leveraging deep learning techniques for 
knowledge tracing can 1) avoid the heavy engineering of the input features that 
are required by many classical models and 2) increase the flexibility and efficacy 
of the student proficiency and response correctness estimation. The pioneering 
work of applying deep learning to knowledge tracing is from [22] where a recur- 
rent neural network (RNN) is employed for sequentially predicting the response 
correctness of each student on the current questions based on their response cor- 
rectness on the previous questions. In their model, the student proficiency and 
its transition patterns (e.g. skill mastery transitions) are modelled by the flexible 
and sophisticated non-linear recurrent layers instead of some statistical models. 
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The authors reported a substantial gain in performance from this “deep” version 
of the knowledge tracing, referred to as DKT, compared to BKT models. Follow- 
ing the DKT paradigm, many extensions have been proposed which have focused 
on using recurrent neural networks for the sequential prediction of the response 
correctness [16, 19,22,28,30]. Their performance, however, is mostly comparable 
to that of the original DKT model. This has cast a question to deep learning for 
knowledge tracing; that is whether the former has the potential to contribute 
to a further leap in the performance of the latter. In particular, Gervet et al. 
[8] has found that the DKT model tends to overfit smaller datasets and are less 
effective than a logistic regression model with hand-crafted features. For larger 
datasets, DKT tends to perform better than the logistic regression model. 

Recently, transformer-style deep learning models start to become prominent 
and lead the performance in many natural language processing and computer 
vision tasks. One of the most popular transformer-style models is BERT [5], 
which leverages stacks of fully connected transformers (as hidden layers) and 
random masked token prediction (as the objective) for capturing the contextual 
information of each input token. Unlike the RNN models which endeavour to 
capture sequential contexts during the training, BERT focuses on the bidirec- 
tional contexts which tend to convey more information about each input token 
than the sequential ones. BERT has had many extensions [18,24,27]. Nonethe- 
less, it remains to be the most popular and effective deep learning model whose 
potential has never been fully exploited in the knowledge tracing domain. 

Therefore, in this paper, we strive for filling this research gap by adapting 
BERT to the domain of knowledge tracing. To achieve this, we seek to answer 
the following research questions: 


— RQ1: How can BERT be adapted to 1) take in the knowledge tracing sequen- 
tial data, which consists of the (correctness of) students’ responses, the 
responded questions and subjects, and 2) perform random masking on the 
input data, which needs to be specialised for knowledge tracing? 

— RQ2: How does BERT perform compared to the state-of-the-art DKT models 
and the classical BKT and logistic regression models in terms of the prediction 
accuracy on the response correctness? 

— RQ3 Under what conditions does BERT yield better or worse prediction 
performance, possibly compared with the aforementioned competing models? 


Therefore, in this paper, we first reviewed the research that had been done in 
the knowledge tracing domain especially in how recent new deep learning tech- 
niques have been applied to the deep knowledge tracing model to improve model 
performance. We then proceeded to introduce our proposed deep knowledge trac- 
ing with BERT. We introduced how we constructed our model layer by layer and 
the training and testing strategies for our model. We also introduced a plethora 
of experiments we conducted to evaluate the performance of our proposed model 
and discussed in what circumstance our model would perform better and how 
the changes of some of the important parameters of the model could affect the 
performance of the model. Finally, we concluded the result of our research and 
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discussed how some of the improvement and future work could be done to the 
research and the deep knowledge tracing domain. 


2 Related Work 


2.1 Bayesian Knowledge Tracing and Extensions 


Corbett and Anderson [4] proposed the Bayesian Knowledge Tracing model (i.e., 
BKT), which attempts to capture the knowledge states of students in an ITS. 
It has the following modelling assumptions: 


— The knowledge state is binary for a subject, either “mastered” or “non- 
mastered”, and the state can only change in one direction: from “non- 
mastered” to “mastered”. 

— The correctness of response is conditioned on the student’s knowledge state 
on the corresponding subject (as a conditional probability table). 


The knowledge tracing is then modelled by BKT as a Markov process. As 
a student responds to a sequence of questions, each belonging to a subject, 
BKT maintains the estimated probability that each subject is in the “mastered” 
state; when the student answers a question, this probability will be updated 
simultaneously. 

Based on the BKT model, there has been further research on proposing 
extended models or studying the properties and limitations of BKT. Pardos 
and Hefferman [21] proposed to introduce difficulty (level) variables to different 
questions. Yudelson et al. proposed to have the probabilities of the knowledge 
state P(L+) and the mastery transition P(T) specific to each student [29]. 

Khajah et al. [13] have studied the limitations of the classical BKT model. 
They found that the performance of BKT heavily rely on whether the Markov 
process modelling assumptions satisfy the particular scenario to which BKT is 
applied. Furthermore, they pointed out that due to the modelling limitations, 
BKT has failed to fully exploit the recency effects where a student who has 
(constantly) underperformed in recent timestamps tends to underperform in the 
current one. Correspondingly, Galyardt and Goldin [7] have shown that integrat- 
ing features of recent history into their logistic regression model can improve its 
predictive performance on response correctness. BKT has also failed to capture 
the effects of the ordering patterns (e.g. interleaved ordering) of the subjects on 
the response correctness. Moreover, It ignores the inter-subject similarity and 
its effects on the response correctness; students are more likely to master more 
similar subjects altogether by practising on questions under these subjects [13]. 


2.2 Deep Knowledge Tracing and Its Extensions 


To address the problems that BKT had, Piech et al. [22] proposed to apply 
recurrent neural networks (RNNs) [10] to exploit more of the complex character- 
istics of the sequential student-question interactions in knowledge tracing. They 
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further employed a specialised case of RNN, long-short-term memory (LSTM) 
networks [12], which is more capable of capturing the long-term non-linear inter- 
actions in the sequences. 

Ever since the proposal of the DKT model, many extensions with more deep 
learning capabilities and modelling of more characteristics of knowledge tracing 
have been proposed. Cheung and Yang [3] proposed to incorporate heterogeneous 
features, such as the number of hints used and the number of attempts, into the 
DKT model. They used the classification and regression tree (CART) to predict 
whether a student will answer a question correctly based on the heterogeneous 
features. This prediction will be concatenated with the ground-truth value of 
the response correctness and the result will be encoded into a four-digit one-hot 
vector. This vector will then be concatenated with the original one-hot vector of 
the pairwise input as the new input of the model. This model has been shown 
to have higher AUCs compared to the DKT model. 

Minn et al. [19] proposed to incorporate the dynamic clustering of students 
into the DKT model. They achieved this by segmenting the sequences of stu- 
dents’ responses into multiple equal-width intervals. The model will dynamically 
group the students based on their estimated proficiency in different subjects 
using the K-means clustering for each interval. The inputs of their proposed 
model then include the resulting group IDs, the subject IDs, and the responses’ 
correctness. It has been shown to achieve higher AUCs than the DKT and BKT 
models. This paper has also investigated the impacts of the different number of 
clusters and the width of time intervals on the model performance. 

More recently, the self-attention mechanism has attracted attention from the 
deep knowledge tracing domain. Pandey and Karypis proposed the first deep 
knowledge tracing that applied the self-attention mechanism [20]. Ghosh et al. 
proposed an attentive deep knowledge tracing model that applied monotonous 
self-attention in the encoder from Transformer to minimise the effect of unrelated 
subjects and interaction distant, in terms of time, from the position required to 
be predicted [9]. 


2.3 Transformer and BERT 


A major problem of the RNN is that it performs sequential prediction, which 
hinders the parallelisation of its training and prediction. To address this issue, 
Vaswani et al. [26] proposed the transformer model which completely relies on the 
self-attention mechanism for the sequential prediction. A transformer inherits the 
classical encoder-decoder architecture. Both the encoder and decoder comprise a 
stack of composites of a multi-head self-attention component followed by a feed- 
forward network. In the encoder component, each input element will be used as a 
query for the self-attention in which the embedding of each of them is attended to 
the embeddings of all the others to obtain their final latent representations, which 
will be used in the decoder. To handle the problem that there is no convolution 
and recurrence in the transformer, a positional embedding specific to each input 
element is added/concatenated to their embeddings. The Transformer model 
has outperformed many state-of-the-art sequential sequence-to-sequence deep 
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learning models at the time in several NLP tasks. More importantly, it has 
provided the foundation for many powerful state-of-the-art bidirectional deep 
learning models to date. 

BERT [5] is one of the most successful bidirectional deep learning mod- 
els based on the transformer encoder. It comprises the stack of composites of 
the multi-head self-attention component and the feed-forward network from the 
encoder part of the transformer model. The output from each layer of the com- 
posite serves as the input to the composite at the next layer. Another key feature 
of BERT is that it is trained to recover a small percentage of randomly masked 
input elements from the sequences. This training phase of BERT is known as the 
pre-training, which aims to learn coherent and meaningful latent representations 
for the data. 


3 Proposed Model Architecture 


3.1 Problem Formulation 


The knowledge tracing problem can be formulated as a sequential prediction 
problem: given a sequence of a student’s interactions z1,..., £r, a DKT model 
needs to predict the result of the next interaction x7+ 1, which is the correctness 
of the (T + 1)-th response. In this case, the t-th interaction is denoted as 2, = 
(q@:,@4) where 1 < t < T. Here, q refers to the t-th subject the student was 
practising on, and a; € {0,1} is the correctness of the student’s response to the 
question under the t-th subject with the value 1 standing for being correct [22]. 

A straightforward architecture for DKT is based on the RNN-type neural 
networks which model uni-directional sequential contexts and are trained to use 
the results of all the previous interactions to predict the result of the current 
interaction. However, we believe that modelling uni-directional sequential con- 
texts is not sufficient for learning the complex dynamic patterns underlying the 
sequences of interaction results between the students and the subjects. Instead, 
we should model the bidirectional contexts surrounding each interaction to let 
the model better figure out what patterns underlying the preceding (or sub- 
sequent) interactions might have contributed to the current interaction result 
(Fig. 1). 

Therefore, we propose to apply and adapt BERT, a transformer-style bidirec- 
tional deep learning model, to knowledge tracing. we name the adapted BERT 
model BiDKT. Unlike the current DKT models and the self-attentive knowl- 
edge tracing model [20] which are uni-directional and thus only make use of the 
preceding sequence 21,...,2; while predicting a:+,, BiDKT also leverages the 
subsequent sequence from 2442 to xp to predict a;z+,. In the following sections, 
we will further introduce the key components of the BiDKT model. 


3.2 Input and Embedding Layer 


The input layer of BiDKT takes in each interaction in the sequences specific to 
each student, which consists of two tokens: the correctness token (i.e., a,) and 
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Fig. 1. The network architecture of our proposed BiDKT model. 


the subject token (i.e., g). BiDKT inherits the transformer architecture which 
naturally ignores the position information of each interaction in the sequences. 
However, such information can be useful for revealing the knowledge states of the 
students. For example, students’ earlier responses in their respective sequences 
are more likely to be erroneous, while their later responses are less likely to be 
so. Therefore, it is reasonable for the input layer of BiDKT to incorporate the 
positional information of each interaction. Therefore, the final embedding for the 
t-th interaction x; is equal to the element-wise summation of three correspond- 
ing embeddings: the subject embedding q,, correctness embedding a; and the 
position embedding p,. Mathematically, this can be formulated as: 


n= auDa@r, (1) 


In the following sections, we use X to denote the input matrix for BIDKT where: 


EB 
x=|. (2) 
er 


However, the introduction of the position embedding can limit the length 
of the sequence for the input layer [25]. When the sequence length exceeds the 
maximum length allowed by the model, it needs to be split into shorter sequences 
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to fit it into the model [9,25]. More precisely, we denote N as the maximum 
length of the sequence input for BiDKT, for a sequence with the length T > 
N, we will split it into [T/N] sequences. After the embedding layer, we apply 
a dropout layer to the output embeddings of each interaction to prevent the 
overfitting problem before feeding them to the core transformer layers. 


3.3 Transformer Layers 


The transformer layers of BiDKT are stacks of fully connected composites of two 
neural network modules: a multi-head self-attention module and a position-wise 
fully connected feed-forward neural network [26]. The first module is responsible 
for aggregating the contextual information towards each interaction from the 
other interactions in the same sequences. The second module takes in the aggre- 
gated information and transforms it non-linearly for the inputs of the next layer. 
We will elaborate on the details of both the modules in the following sections. 


Multi-head Self-attention Layer. Self-attention [26] is a mechanism that 
can compute the embedding for each position in a sequence by relating the 
embeddings at all the other positions in the same sequence. More specifically, 
a multi-head attention mechanism with H heads refers to applying the self- 
attention mechanism to H consecutive chunks of the sequence separately with 
different sets of trainable parameters, which had been found beneficial to the 
performance of the model [26]. More specifically, each “head” is responsible for 
projecting the embeddings of the input matrix X € R™*™ into a query matrix 
Q € RTM" a key matrix K € R?*™’ and a value matrix V € R?*™’ respec- 
tively via the dot product with the corresponding trainable projection matrix, 
including Wa € RY*M', Wk € RY*M' and W, € RYM", as follows: 


Q=XWo 
K=XWx (3) 
V=XWy 


In this case, the intermediate dimension for each head M’ = “M, For the i-th 
self-attention head where 1 < i < H, its calculation can be formulated as follows: 


A; = Attention(Q, K, V) 
Kt 4 
v (4) 
VM 
where the result A; € R?*™’. Afterwards, all the attention results across the H 


heads will be concatenated in the output layer of the multi-head self-attention 
module as follows: 


= Softmax( 


Z = Concat( A1, Ag,..., Ag )Wo (5) 
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where Wo € R“*™ is a weight matrix for computing the final output embed- 
dings Z € R?*™ from the multi-head attention module. This module allows 
BiDKT to capture the bidirectional information from all the positions in each 
sequence during the training. Moreover, the attention computation of each head 
can be parallelised, which can reduce the computational complexity of the model. 


Feed-Forward Neural Network (FNN) Layer. We then feed the output 
of the multi-head self-attention module to a position-wise fully-connected feed- 
forward neural network, which can be formulated as follows: 


FNN(Z) = Max(0, ZP, + bi) + bə (6) 


where 4 € RM*L and Pa c R’*™ are the trainable weight matrices for the 
hidden and output layers of the FNN module, while b; € R4 and bz € R™ are 
the bias vectors for the two layers respectively. Notice that we set the above 
trainable weight matrices and bias vectors to be specific to each layer of the 
transformer component. 


3.4 Output Layers 


The output module of BiDKT starts with a dense layer with GELU (i.e. Gaussian 
Error Linear Unit) activation function. It is followed by a normalisation layer, 
whose result is passed onto the softmax function to obtain the predicted proba- 
bility of response correctness corresponding to each interaction in the sequences. 
The output embeddings from the activated dense layer have a dimension of 4, 
where the indices 0 and 1 are reserved tokens respectively for the padding and 
the masked tokens, the index 2 represents the incorrect response, and index 3 
represents the correct response. Finally, the softmax probability outputs for each 
interaction in the sequences will be multiplied element-wise with a binary mask- 
ing layer. Its positions corresponding to the masked interactions are set to be 1 
and the observed interactions are set to be 0, so that only the predictions for 
the “to-be-recovered” interactions will be considered in the calculation of the 
loss. In this case, BiDKT aims to minimise a sparse categorical cross-entropy 
between the correctness of the target (i.e. to-be-recovered) interactions and the 
corresponding softmax probability outputs. 


3.5 Model Training and Testing 


Training. Previous DKT models are primarily based on RNNs. Therefore, their 
training strategy focuses on predicting one interaction ahead. More specifically, 
with a sequential inputs 71,...,7:,1 < t < T for the training, the correspond- 
ing outputs are dg,...,@441 [22]. As for BiDKT, the ground-truth interactions 
will be masked at the input layer so that the corresponding predictions in the 
output layer will not be able to “see” the ground-truths but rather infer them 
using the surrounding bidirectional information from the sequences. Therefore, 
a straightforward training strategy for BiDKT is to simply predict the masked 
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interactions at the current timestamps (rather than the ones ahead) based on 
the corresponding [MASK] tokens in the input layer. 

More specifically, during the training, we will randomly substitute a small 
percentage of the correctness tokens with a [MASK] token, while the correspond- 
ing subject tokens are intact and input into BiDKT as they are. As an example, 
given an interaction sequence with the length of 4, ie. (q1,a1) > (q2,a2) > 
(q3,@3) — (qa, a4), for the training, its corresponding random masked sequence 
to be input to the model will be in the form of (q1,a1) > (q2,[MASK]) > 
(q3,@3) > (q4, [MASK]). 


Testing. For testing, we adopted a method similar to the one in [25]. More 
specifically, for any sequence in the test data with the length being T’, we gen- 
erate T’ sequences from it. Take a sequence with the length of 4 as an example. 
We will generate the following four sequences: 


Sequence 1: (q1, [MASK]) 

Sequence 2: (q1, a1) > (q2, MASK]) 

Sequence 3: (q1, a1) > (q2,a2) — (q3, [MASK]) 

Sequence 4: (q1, a1) — (q2, a2) — (q3, a4) —> (qa, [MASK]). 


In each of the above sequences, we mask only the correctness token in the last 
position for the model to predict, given all the previous interactions and the 
subject token at the current interaction. 

It is worth noticing that the training and testing strategies of our model have 
some inconsistency in that the former one aims to predict the tokens masked at 
arbitrary positions in the sequences while the latter aims to predict the tokens 
masked at the last positions. Such inconsistency could possibly affect the per- 
formance of BiDKT adversely. 

To address the above issue, during the training, we randomly sample a certain 
percentage of the sequences and only have their correctness tokens masked at 
the last positions. In other words, their masking strategy is now the same as 
that used for the test data. This method can be viewed as a fine-tuning step for 
BiDKT and can potentially improve the performance of the model. 


4 Experiments 


In this section, we evaluate the efficacy of our proposed model by comparing it 
with several state-of-the-art BKT and DKT models across 8 real-world datasets. 
The datasets are provided by Ghosh et al. (2020)! and Gervet et al. (2020). 


1 https://github.com/arghosh/AKT/tree/master/data. 
? https://github.com/theophilee/learner-performance-prediction. 
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4.1 Datasets 
The details of these datasets are listed as follows: 


— The ASSISTment dataset in 2009, 2012, 2015, 2019. The ASSISTment 
(ASSISTing and assessment) datasets are collected from a system utilised 
in the United States of America for high school mathematics classes. Each 
record in the dataset comprises the student’s mastery status on the concept, 
timestamp of the response, the teaching concept associated with the question, 
etc. [6]. ASSISTment 2009 has been chosen to be the benchmark dataset for 
knowledge tracing problem in the past decade. 

— Statics 2012. It is a dataset of the log data of ITS for a college-level engi- 
neering subject [14]. 

— Algebra 2005 and Bridge to Algebra 2006. These datasets are orig- 
inally for KDD Cup 2010, a competition of data mining. The task of the 
competition was to predict students’ correctness on mathematical exercises 
by learning from their log data from the Intelligent Tutoring Systems®. Each 
record comprises the hierarchy of curriculum levels containing the exercise, 
the identified concepts that are used in an exercise (where available), whether 
the student answered it right at the first go, etc. 

— Spanish. It is a set of log data of high school students learning Spanish on 
an ITS [8,17] 


Tables 1 and 2 summarise the key statistics of these datasets. 


Table 1. Details of the data provided by Gervet et al. (2020); The average sequence 
length is abbreviated in the last row of the table. 


Statics | Assist09 | Assist12 | Assist15 | Assist17 | Spanish | Bridge06 | Algebra05 
Size 189,297 | 278,336 | 2,682,211 | 656,154 | 934,368 | 578,726 | 1,817,393 | 606,983 
# of students 282| 3,114 22,589 | 14,228 1,708 182 1,130 567 
# of subjects 1,223 149 265 100 411 221 550 271 
Avg-seq-len 636 32 59 31 440 2,924 1,373 581 


Table 2. Information of the data provided by Ghosh et al. (2020); The average sequence 
length is abbreviated in the last row of the table. 


Statics | Assist09 | Assist15 | Assist17 
Size 189,297 | 325,637 | 683,801 | 942,816 
# of students 333 4,151 | 19,840 1,709 
# of subjects 1,223 110 100 102 
Avg seq len 568 78 34 551 


3 https: //pslcdatashop.web.cmu.edu/KDDCup/rules.jsp. 
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4.2 Baselines and Metrics 


The area under the receiver operating characteristic curve (AUC) has been 
widely used as the benchmark score for the comparison of model performance. 
Therefore, we used AUC as the performance score and compared the perfor- 
mance of our model with the results from Ghosh et al. (2020) and Gervet et 
al. (2020) by respectively testing our model on the pre-processed data they pro- 
vided [8,9]. They also respectively re-implemented a plethora of baseline models 
by themselves. More specifically, the context-aware knowledge tracing model in 
Ghosh et al. (2020) was the state of the art [9]; and Gervet et al. conducted 
comprehensive experiments over different existing models and datasets [8]. We 
listed the datasets they provided and their chosen baselines in Table 3. Non-KT 
baseline models (e.g., models based on Item-Response Theory and Performance 
Factor Analysis) evaluated in Gervet et al. (2020) will not be listed, but we kept 
their proposed logistic regression model and compared it with our model in the 
experiments. 


Table 3. Details and baseline models in Ghosh et al. (2020) and Gervet et al. (2020). 
Non-KT baseline models are not listed. 


Ghosh et al. (2020) Gervet et al. (2020) 
Dataset ASSISTment 2009, 2015, | ASSISTment 2009, 
2017 and Statics 2012 2015, 2012, 2017, 


Statics 2012, Bridge to 
Algebra 2006, Algebra 
2005 and Spanish 


Baseline models | BKT+ [29], DKT [22], BKT [4], BKT+ [29], 
DKT+ [28], SAKT [20], | DKT [22], SAKT [20] 
DKVMN [30] 


4.3 Experiment Settings 


As mentioned in Sect.3.5, if a sequence is longer than a certain length, we will 
split it into several smaller sequences to fit in our model. To conduct 5-fold 
cross-validation, we have split each dataset into three parts: 60% of the data to 
be used as the training set, 20% to be used as the validation set for optimizing 
the hyper-parameters and for performing the early stopping, and the remaining 
20% to be used as the test set to evaluate the competing models. 

We have implemented BiDKT with Keras*, and the structure of its trans- 
former layers was adapted from Keras-BERT°. Adam optimiser was used for 
training the BiDKT model [1]. The implementations of all the baseline models 
are provided by Gervet et al. [8] and Ghosh et al. [9]. All the experiments are 


* https: //github.com/keras-team/keras. 
5 https://github.com/CyberZHG /keras-bert. 
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conducted on an NVIDIA V100 GPU with 16 GB memory on the M3 cluster (a 
high-performance computing cluster maintained by Monash University)°. 

We conducted a grid search across the hyper-parameter candidate sets spec- 
ified in Table 4 to find the best one that can optimise the average model perfor- 
mance over the 5 validation folds of each dataset. We found the following best 
hyper-parameter set with 16 as the batch size, 200 as the maximum sequence 
length, 0.1 as the dropout rate, 1 as the number of self-attention heads, 2 as the 
number of transformer layers, 16 as the embedding dimension, 64 as the number 
of hidden neurons for the feed-forward networks, 0.15 as the masking rate (i.e. 
the probability of a correctness token being substituted by a [MASK] token) and 
0.25 as the fine-tuning rate (i.e. the probability of a sequence only being masked 
at the last position in a training batch). In the later section, we will have a more 
detailed discussion about how the masking rate and fine-tuning rate will affect 
the model performance. 


Table 4. Hyperparameters experimented 


Hyperparameter Values experimented 

Batch size 8, 16, 24, 32, 64 

Maximum sequence length 100, 200, 300 

Dropout rate 0.1, 0.25, 0.5 

Learning rate le—6, 5e—6, le—5, 5e—5, le—4 


Number of self-attention heads | 1, 2, 4, 8, 12, 16 
Number of Transformer layer | 1, 2, 4, 8, 12 


Embedding dimension 16, 24, 64, 128, 192, 256 

Hidden dimension 64, 96, 256, 512, 768, 1024 

Mask rate 0.1, 0.50.2, 0.25, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9 
Fine-tune rate 0.1, 0.50.2, 0.25, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9 


4.4 Results and Discussion 


In this section, we present the results of the competing models across the different 
datasets in Table5 and 6. Ghosh et al. (2020) reported two AKT models similar 
in the core layers but applied different encoding mechanisms for the input (i.e. 
one with Rasch encoding and one without) [9]. On the ASSISTment 2009 and 
2017 datasets, to which the Rasch encoding can be applied, the AKT model with 
such encoding had achieved better performance than the one without. Therefore, 
we only reported the results with the Rasch encoding on these two datasets. 

It can be observed from Table5 that BiDKT has outperformed the BKT 
model on the Statics 2012, the Algebra 2005 and the Spanish datasets. It has 
also outperformed DKT and SAKT on the Spanish dataset. It is also interesting 


6 https: //www.massive.org.au/about /. 
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Table 5. Performance (AUC) comparison of BiDKT and the experiment result from 
Gervet et al. (2020). NA refers that the data is not provided or the experiment had 
not been conducted in the original paper. “LR” stands for “logistic regression” . 


Dataset BKT | BKT+|LR | DKT|SAKT) BiDKT 
Statics 2012 0.73 |0.811 | 0.819 | 0.829 | 0.813 | 0.772 
ASSISTment 2009 0.63 | 0.759 | 0.772 | 0.757 | 0.756 | 0.700 
ASSISTment 2012 NA |NA 0.751 | 0.771 | 0.732 | 0.689 
ASSISTment 2015 NA |0.701 | 0.702 | 0.731 | 0.730 | 0.674 
ASSISTment 2017 NA |0.710 | 0.714) 0.770 | 0.722 | 0.632 
Bridge to Algebra 2006 NA |NA 0.803 | 0.790 | 0.784 | 0.763 
Algebra 2005 0.62 |NA 0.83 |0.821|0.801 | 0.777 
Spanish 0.83 | 0.851 | 0.863 | 0.832 | 0.831 | 0.835 


Table 6. Performance (AUC) comparison of BiDKT and the experiment result from 
Ghosh et al. (2020). NA refers to that the result is not reported in the original paper 


Dataset BKT+|DKT |DKT+|DKVMN|SAKT| AKT | BiDKT 
Statics 2012 0.75 0.8233 | 0.8301 | 0.8195 0.8029 | 0.8265 | 0.7785 
ASSISTment 2009 | 0.69 0.817 | 0.8024 | 0.8093 0.752 | 0.8346 | 0.7651 
ASSISTment 2015 | NA 0.731 | 0.7313 | 0.7276 0.7212 | 0.7828 | 0.6766 
ASSISTment 2017 | NA 0.7263 | 0.7124 | 0.7073 0.6569 | 0.7702 | 0.5978 


to see that BiDKT has outperformed SAKT on the ASSISTment 2009 dataset 
provided by Ghosh et al. (2020) but not on the same dataset provided by Gervet 
et al. (2020) (Table 6). 

On the other datasets from the two sources, we can see that there is a notable 
performance gap between BiDKT and some of the state-of-the-art DKT models 
(e.g. AKT and SAKT). However, it is also worth noticing that in the original 
paper of SAKT [20], the authors reported an AUC of 0.848 on the ASSIST- 
ment 2009 dataset and 0.857 on the ASSISTment 2015 dataset. In comparison, 
both Ghosh et al. (2020) and Gervet et al. (2020) cannot reproduce the original 
performance. 

Despite the performance gap on some of the datasets, we believe that BiDKT 
still bears the potential to further improve its performance. BERT has demon- 
strated its efficacy in the sequential recommendation, a similar domain to knowl- 
edge tracing [25]. The only difference is that the datasets used in this case contain 
hundreds of millions of responses and millions of users and items, which are much 
larger than popular knowledge tracing benchmark datasets. Both Gervet et al. 
(2020) and Ghosh et al. (2020) have pointed out that self-attentive models might 
require a large amount of data to be trained properly [8,9]. In comparison, the 
datasets used in our experiments are relatively small. 
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Furthermore, we hypothesise that the gap performance exists because the 
students’ future performance is only dictated by their performance in the recent 
past but not by any longer one. Another possible reason is that the dynamic 
patterns underlying the interaction sequences are not sufficiently complex for 
our model to fully exploit to allow it to outperform simpler models. 


4.5 The Impact of Masking Rate 


The mask rate refers to the probability of whether a correctness token will be 
substituted by a [MASK] token. The mask rate will decide how many tokens 
in a training sequence the model should predict. On one hand, if it were too 
large, it would impose extra difficulty for the model to capture the pattern of 
the sequence; on the other hand, if it were too small, the robustness of the model 
would be impaired [25]. In this experiment, we kept fine-tune rate at 0.25 and 
changed the value of the mask rate to investigate how it affects the performance 
of the model. 
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Fig. 2. The performance (AUC) of BiDKT with different masking rates across the 
different datasets. 


As we can tell from Fig. 2, generally, the performance of BiDKT does not 
monotonously grow or decline within the domain of [0.1, 0.9], which can lead us 
to the same conclusion that the change of mask rate does not always result in 
performance improvement or decline, as per [25]. When the mask rate is larger 
than 0.3, generally speaking, the performance of BiDKT declines when the mask 
rate continues to grow. 
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4.6 The Impact of Fine-Tuning Rate 


The fine-tune rate refers to the probability in which a sequence will have the 
correctness token masked only in the last position. Similar to the mask rate, 
we conjectured that it can either be too small or too large. On one hand, if it 
were too small, the discrepancy between the training task and the testing task 
would be large; on the other hand, if it were too large, we cannot fully leverage 
the power of BERT to capture the learning characteristics of the students by 
predicting correctness tokens from their upstream and downstream context. 
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Fig. 3. The performance of BiDKT with different fine-tuning rates across the different 
datasets. 


As we can tell from Fig. 3, when we changed the fine-tune rate from 0.1 to 
0.9, the performance of the model did not monotonously grow or decline. This 
proved our aforementioned hypothesis. 


4.7 Limitations of Our Study 


Due to the time and resource limitation of this paper, we can only improve and 
evaluate our work within a certain scope. One of the limitations of this paper 
is that we did not investigate the root cause of the performance gap. We only 
empirically analysed why the gap exists. Another limitation of our research is 
that the granularity of the grid search for optimal hyperparameters was very 
high. 
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5 Conclusion and Future Work 


In this paper, we proposed BiDKT, a deep knowledge tracing model based on 
BERT. We introduced the structure of BiDKT in details and how we imple- 
mented the model. We conducted a series of experiments to evaluate the overall 
performance of our model and analyse how some of the important parameters 
affect the performance of the model. Our model outperformed some of the cur- 
rent deep knowledge tracing models in certain scenarios. To our knowledge, even 
though a plethora of extensive BERT models have been proposed and have shown 
excellent performance in their respective settings, most of them are still mod- 
els for natural language processing tasks. Our work extended the usage of the 
BERT model to the knowledge tracing domain, and more broadly, the non-NLP 
sequential prediction domain. 

There are many possibilities for future research in the deep knowledge tracing 
domain. Currently, many DKT models have tried to incorporate more features 
of a student’s response (e.g. the text of the exercise as side information [19]) or a 
more sophisticated method to encode the input (e.g. the Rasch encoding) [9]) We 
consider these research directions probable to be integrated with BERT models 
for higher performance. Another possible research direction could be training 
and testing the model on the EdNet dataset, which is larger in size and has a 
larger number of students but has not been widely used as a benchmark dataset. 
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Abstract. Education is a crucial aspect of most nations. It is the back- 
bone of society, but many regulations and multiple actors make it a 
complex bureaucratic system, lacking transparency and efficiency. Fur- 
thermore, the use of central databases in storing academic records raises 
concerns about security issues. In this paper, issues of the academic pro- 
cesses in the current system are pointed out, and the solution using pri- 
vate distributed ledger technology is proposed accordingly. A brief com- 
parison with Blockcerts, which is a counterpart using public blockchain 
to facilitate decentralized certificate verification, is made to emphasize 
the benefits of the proposed system. Based on distributed ledger tech- 
nologies, the solution we present aims to create a transparent system to 
support the institutions’ processes and lay a solid foundation for lifelong 
learning. 


Keywords: Blockchain - Private distributed ledger - Academic system 


1 Introduction 


University bureaucracy is complicated and time-consuming, which lower the 
quality of student experience in higher education. Specifically, in the enrolment 
process, students have to deal with multiple stakeholders in order to get enough 
documents and submit them to the right organizations. Figure 1 demonstrates 
the current enrolment process of international students. Similarly, the process 
when a student wants to change education provider is also cumbersome. There 
are, again, various steps to be taken before the student can be enrolled in a 
new university. However, the process likely ends in frustration when the credits 
are not recognized correctly or even the student is rejected. Moreover, central 
databases make the current system prone to long-standing problems, including 
falsified documents and single point of failure of academic records. While the for- 
mer has been on debate for a long time, verifying academic qualifications is not 
simple, given that forged degrees are becoming much more sophisticated. The 
latter is caused due to the risk of the central database storing academic records 
being compromised, thus, lead to the loss or leakage of academic records. Fur- 
thermore, using central databases also hinders information continuity and con- 
sistency. 
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Distributed ledger technology (DLT)’s prominent immutability, trans- 
parency, and traceability make it a comprehensive solution to the stated prob- 
lems. The main idea of applying DLT in managing academic records and 
university-related bureaucracies is to eliminate a single point of data storage and 
make data transparent to authorized entities. This means student enrolment and 
academic credits transfer processes will become much simpler and faster. Addi- 
tionally, data transparency offered by DLT is a key to connect learning records 
produced by various education providers. Therefore, a sustainable foundation is 
set for lifelong learning to evolve. Blockchain is an emerging distributed ledger 
technology that was introduced in 2008 and become a promising technology that 
will make noticeable impacts on the world [1]. It has been researched in vari- 
ous sectors, even some of the blockchain-based applications (BBAs) have started 
making the differences [2]. The application of blockchain in education has been 
suggested since around the year 2016 when MIT Lab was researching their Block- 
certs project [3]. It has been elaborated in multiple papers [4,5], but the topic is 
still in its infancy, yet the number of researches on this topic has been dramati- 
cally increasing in recent years [2,6,7]. Various researches have been conducted 
to study integrating blockchain into the education field, suggesting a variety of 
enhancements that could be brought to the current systems [6,7]. According to 
[6] and [7], majority of them discuss about certificate management and learning 
outcomes management [8-15], some discuss about evaluating learners’ capability 
[16,17], some suggest securing collaborative learning environment [18-20], and 
numbers of other problems in education sector [21,22]. Most of those research 
papers suggest using public blockchains, including Bitcoin and Ethereum, while 
there is a limited number of papers that proposed private blockchain as the 
solution. 


2 Issues in Student Enrolment and Transfer Processes 


2.1 Long Waiting Time 


Traditional academic transferring processes are claimed to be time-consuming by 
Badr et al. [8], Ghaffar and Hussain [24] and Jirgensons and Kapenieks [11] due 
to the involvement of multiple stakeholders and manifold document handling 
processes. This significant delay in time is also a cause for hindering learning 
from becoming lifelong [11]. 


2.2 Security Risk 


Daraghmi considers that academic records are common targets of information 
theft as they include students’ personal information [10]. Ocheja et al. claim in 
both [18] and [19] that the current process of records sharing is lack protection 
for learners’ confidential data. The traditional system is also considered to be 
easy to be attacked [17]; thus, prone to the risk of a single point of failure [12]. 
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Fig. 1. Current process of enrolment 


2.3 Lack of Interoperability 


Srivastava et al. [23], Turkanović et al. [15] and Kontzinos et al. [25] claim that 
different standards in storing academic records lead to the absence of information 
continuity when records are transferred. Furthermore, [23] and [15] also point out 
that the barrier of language and script in different countries is another challenge 
to keeping the seamless stream of learning records. Therefore, lifelong learning 
is significantly held back. 


2.4 Fraudulent Activities 


Fake academic documents, nowadays, can be easily forged at a startling speed 
due to the weak security mechanism of the current system [26] and duplication of 
records caused by its lack of interoperability [23]. Fake degrees increase legitimate 
university’s expense to compete with “degree mills”, conduct investigations and 
mounting litigation against fake entities to protect their intellectual property 
rights and protect their reputation against the potential harms caused by those 
fake qualifications [27]. This problem is also enforced by numbers and examples 
given by Kazakzeh et al. [28]. From the employer perspective, it may cost them 
an average of 40,000 US dollars per bad hire [29]. 
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3 Private Distributed Ledger 


The private distributed ledger is used because it facilitates the partnership 
between government and public organizations where optimization of resources 
utilization is guaranteed [14]. Besides, better scalability, security and privacy 
are also the main reasons private blockchain is preferred in this use case. In 
addition, the low computational cost is another advantage of using a private 
blockchain, which, on the other hand, is the main problem when applying pub- 
lic blockchain in any use cases. In this vision paper, Hyperledger Fabric! is the 
private blockchain considered as the solution so that we can take advantage of 
its additional features of modularity, configurability and versatility. 


3.1 More Scalability 


Bitcoin [30], and Ethereum [31] are the most popular public blockchains which 
have been used in improving educational processes. However, they are known 
for their problems in scaling due to their limited throughput and costly trans- 
actions [8]. Hyperledger Fabric, on the other hand, is a permissioned blockchain 
which, in default, maintains smaller chains, has a shorter processing time, and 
scalable to handle more amount of transactions thanks to the ability to lever- 
age non-cryptocurrency consensus protocols. According to the comparison in 
[8], Hyperledger performs much better than other popular platforms, including 
Bitcoin, Ethereum, Cardano and Multichain in terms of transactions per second 
with 2500 transactions in a second. However, [32] has introduced a plug-and-play 
mechanism to boost the performance of Hyperledger Fabric to a promisingly 
maximum of 20000 transactions per second. 


3.2 Better Security and Privacy 


Permissioned blockchain (or private DLT), in their default, are operated on a 
restricted private network where nodes are known to each other, thus, more 
trust in the network. Furthermore, the network can be configured so that data 
can only be accessed or verified by authorised nodes. Thus, it is a good fit for 
protecting confidentiality and privacy of data on the system [8]. In addition, non- 
cryptocurrency operation in a private distributed ledger lowers the risks of the 
system being attacked. Unlike other platforms which propose data encryption 
or Zero Knowledge Proofs as the mechanism for preserving data confidentiality 
and privacy with different trade-offs, Hyperledger Fabric, in default, provides 
the channel architecture and private data feature as solutions. 


3.3 Less Computational Cost 


As permissioned blockchains do not depend on any costly blocks mining pro- 
cesses, there is no native cryptocurrency needed; thus, less expensive consensus 


1 https: / /hyperledger-fabric.readthedocs.io/en/release-2.2/. 


Vision - An Innovative Management System Based on Private DLT 283 


protocols can be used. The computational cost is kept low due to the elimina- 
tion of cryptocurrency consensus protocols and cryptographic mining processes. 
Furthermore, end-users are not required to run their own nodes to be part of the 
blockchain network. In this vision, the Hyperledger Fabric network serves in the 
web application’s backend to which the users communicate to take advantage of 
the services. Therefore, the system will not cost users anything computational 
resources, and the use of resources is also reduced from a service provider per- 
spective as no additional nodes are created upon end-users interaction [8]. 


4 Proposed System Using Private DLT 


4.1 Simple Processes 


Instead of forwarding required documents from one entity to another, which is 
time-consuming, the proposed system allows stakeholders to interact directly 
with each other. By facilitating direct interactions between stakeholders in the 
university’s bureaucracy, students are free from involving in any processes after 
providing their details to the document issuers; thus, complexity and time are 
lessened. As shown in Fig.2, what students need to do is request a document, 
and the rest of the process is automated by related entities. 

After receiving and processing applicants’ information, bureaucratic entities 
issue relevant documents and store them on their ledgers in the Fabric channel 
where other channel members can have access to those documents. Sequentially, 
the next stakeholder can continue the process as soon as the document they 
require is issued and stored on the channel ledgers. Thus, the complexity and 
long waiting time are significantly reduced. 


4.2 A Trusted Network 


The system also proposes a collaboration space facilitated by a network with 
enhanced security and trust. Application of DLT in storing documents and 
records decentrally eliminates the central database’s single point of failure risk. In 
addition to that, the current problems in sharing academic records can be solved 
thanks to the immutability and transparency features of blockchain, which make 
data and transactions viewable by any approved entities, however, unable to be 
modified after committing. In the proposed system, academic records are view- 
able and accessible by any external entities of the university as long as they are 
trusted, thus, included in the channel. Therefore, universities in the system are 
able to share and exchange academic records effortlessly. 


4.3 Support Lifelong Learning 


Thanks to the use of blockchain, data is owned by the learners, who also con- 
trol access to it [33], thus, students are placed in the center of the proposed sys- 
tem, which allows them to make their own decisions on their career path [6]. 
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Fig. 2. Proposed DLT solution. 


Mikroyannidis et al. [33], in their proposal of a learner-centered approach for life- 
long learning, have proposed multiple benefits brought by blockchain to ePort- 
folios, a crucial component of lifelong learning. Furthermore, simplifying and 
securing enrolment and academic records sharing processes sets sustainable steps 
for lifelong learning to become the norm and probably beyond that. When these 
processes are no longer cumbersome and enhanced with a robust data shar- 
ing procedure, learners will be more comfortable and confident to acquire new 
knowledge and skills from diverse institutions. 


5 Comparison to Blockcerts 


Although some concerns had been raised on data privacy when data is trans- 
parent on the blockchain. By taking advantage of Hyperledger Fabric’s chan- 
nel and private data collection features, which are developed for the purpose 
of conserving privacy on the blockchain network, a university in the proposed 
system can choose particular entities in the network to share their data in a 
channel privately; or they can even further choose a subset of entities in the 
channel to share data with each other using private data collection secretly. As 
Blockcerts? is a system based on Ethereum and Bitcoin, public blockchains, the 
features for accommodating private information is not available. Also, the con- 
sensus rules are also unchangeable on those permissionless blockchain networks. 
Therefore, there are limited capabilities provided by Blockcerts, which leads to 
the incompatibility of the system with the variety of business needs. Blockcerts 


? https: //www.blockcerts.org/. 
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only offers the service of qualifications issuance and verification. On the other 
hand, Hyperledger Fabric is used in order to take advantage of its versatility and 
modularity. Also, multiple configurations in the Fabric network are pluggable, 
which makes it a modular and configurable platform facilitating innovation, ver- 
satility, and optimization for a variety of applications while still ensure a high 
level of security. Therefore, the proposed system promisingly provides a compre- 
hensive management system for education providers, government entities, and 
other related agencies to facilitate collaboration to optimize any processes with 
interoperability, transparency, and security. 

Hyperledger Fabric platform is suggested to perform better, comparing to 
other popular platforms, including Bitcoin and Ethereum, in terms of transaction 
per second (TPS), which is a vital attribute to determine the performance of a 
platform and whether it can scale up to large applications. Specifically, Badr et 
al. [8], in their comparison, showed that Hyperledger Fabric (2500 TPS) could 
process 100 times more than the number of transactions that Ethereum (from 
15 to 25 TPS) can process within 1s, while the difference is more than 300 times 
comparing to Bitcoin (from 3.3 to 7 TPS). 

Blockcerts certificates have been found to be vulnerable to impersonation 
attacks [34]. In details, fake certificates can be forged if an issuer profile is fab- 
ricated with an altered certificate resulting in indistinguishability between fake 
and legitimate certificates [34]. While [34] suggested using public key infrastruc- 
ture (PKI) or decentralized identity system to mitigate this vulnerability, Hyper- 
ledger Fabric, in its default, has been implemented with these features thanks to 
the Membership Service Provider (MSP) mechanism. Hence, Hyperledger Fabric 
is ensured with robust identity management, which prevents malicious activities 
of malevolent entities in the network. Furthermore, in the Hyperledger Fabric 
network, participants are expectedly known to each other and collaborate under 
a certain governance model. Thus, the likelihood of intentional malicious codes 
injected through smart contracts is eliminated (Table 1). 


Table 1. Comparison between Blockcerts and proposed system using Hyperledger 
Fabric 


Blockcerts | Proposed system 


Data privacy a 
Security Va 
Modularity [V 
Versatility ~ 

[< 


High throughput 
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6 System Architecture 


The system’s high-level architecture is illustrated in Fig. 3. External information 
exchanges occur in the external channel, while each entity’s internal information 
sharing occurs in their own internal ones, separate from the former. By hav- 
ing this blockchain-of-blockchains alike architecture, data sharing is immutable, 
transparent and traceable, thus, interoperable across different organizations 
within the system. Therefore, this will be a viable platform for lifelong learning 
to thrive. 


UniA Channel UniB Channel 
University A University B 
əş External 
Immi ay, Channel g 
Channel 
Immigration Insurance A 
O ATO Insurance B_!NsB 


Channel Channel 


Fig. 3. High level architecture of proposed system. 
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Abstract. Vehicular federated learning (VFL) is a new paradigm that 
enables the use of data for distributed training under the premise of pro- 
tecting the privacy of vehicular nodes (VNs). However, due to the hetero- 
geneity of federated learning data, it is a challenge to evaluate the value of 
data and design an intelligent pricing scheme to effectively motivate the 
VNs in the vehicular networks (VNets) to complete learning tasks collab- 
oratively. To this end, in this paper, we consider the value of data and 
propose a value-aware collaborative data pricing scheme for VFL. In the 
scheme, we first design a data transaction architecture based on the value 
of data and the cooperation among VNs. Then, by considering the non- 
independent and identically distributed (non-IID) degree and the age of 
data (AoD), we develop the data value model to evaluate the quality of 
data. Next, based on the requirement of the learning task and the data 
owned by each VN, we formulate the cooperation of the VNs as a coalition 
game, where the equilibrium of the coalition game is obtained by designing 
a distributed coalition formation algorithm. The simulation results show 
that the proposed scheme can lead to higher utility than the traditional 
methods. 


Keywords: Federated learning - Vehicular networks - Data pricing - 
Coalition game 


1 Introduction 


With the rapid development of 6G and vehicular networks (VNets), a large num- 
ber of machine learning tasks have been generated to facilitate intelligent trans- 
portation systems (ITS) [1]. As a new learning architecture, federated learning 
has attracted widespread attention to support various applications and services 
[2-4]. Different from traditional machine learning which needs to transmit the 
collected data to a central server for training, federated learning allows each data 
owner to locally train the collected data and to upload the local update to the 
central server, reducing the communication overhead and improving the data 
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2022 
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central server 


Fig. 1. System model. 


security [5]. With these advantages, a new paradigm called vehicular federated 
learning (VFL) has been proposed to facilitate the applications and services in 
VNets such as vehicle positioning [6] and vehicle classification [7]. 

In the VFL, as shown in Fig. 1, a task requester can send its request to the 
central server which will select a number of vehicular nodes (VNs) including 
unmanned aerial vehicles (UAVs), cellular base stations (CBSs), roadside units 
(RSUs) and vehicles to train the learning task locally. After a round of training, 
the local update will be collected by the central server to update the global 
model. Repeat this process until a certain precision or the maximum number of 
the iteration is reached. 

Obviously, in the model training process, the VNs with different data have 
different contributions to the global model training. According to [8], when per- 
forming learning tasks, the higher the quality of data, the higher the quality of 
local model updates. However, VNs usually generate and collect data in different 
ways. As a result, the number and characteristics of data owned by different VNs 
may vary greatly. Therefore, the data of VFL is non-independent and identically 
distributed (non-IID). For neural networks trained on highly skewed non-IID 
data, the accuracy will be significantly reduced [9]. Furthermore, most of the 
tasks in the VNs require the timeliness of data. Outdated data may reduce the 
accuracy of the training model, leading to wrong judgments and low quality of 
experience (QoE) of the task requester. Taking an autonomous driving task as an 
example, fresh driving environment data can significantly improve the accuracy 
of analysis of accident risks [10]. 

Apart from the data quality, another factor that affects VFL is data pricing. 
In the VFL, VNs may consume different resources when collecting data and 
training samples. As selfish and rational nodes, they will not actively participate 
in the training process of the VFL task. To solve this problem, a collection of 
mechanisms has been proposed to motivate VNs [11-13]. However, few of them 
consider the fact that VNs will declare various prices for joining in the VFL. 
In addition, the existing works typically think that VNs independently price 
data because they will train local models with their own data, which lacks the 
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consideration of the cooperation among VNs to increase their data value and 
maximize their utility. Therefore, it is still an urgent problem to design a pricing 
scheme in VNets to facilitate the VFL by considering the value of data and the 
cooperation among VNs. 

By considering the above issues, this paper proposes a value-aware collabo- 
rative data pricing scheme to facilitate VFL. In the scheme, we first establish a 
data transaction architecture for VFL in VNets by considering the value of data 
and the cooperation among VNs. Then, we design a value model to evaluate the 
quality of data by jointly considering the non-IID of data and age of data (AoD). 
Next, the interactions among VNs are modeled by a coalition game, where a dis- 
tributed coalition formation algorithm is designed to achieve the equilibrium of 
the coalition game with the target of maximizing the utility of each VN. The 
simulation results show that the proposed scheme can bring the highest utilities 
to the VNs by comparing with the traditional methods. 

The remainder of this paper is organized as follows. Section 2 describes the 
system model. Section 3 designs the proposed scheme. Section 4 formulates the 
cooperation among VNs as the coalition game. The simulation results are pre- 
sented in Sect. 5. Finally, we conclude the paper in Sect. 6. 


2 System Model 


In this section, we introduce the system model which consists of network model 
and task model. 


2.1 Network Model 


In the VNets, as shown in Fig. 1. the networks consist of a central server, task 
requester and VNs. 


— Central Server: As the controller of the VFL, the central server caches the 
data and price information of each VN. If a VN intends to update its infor- 
mation, it can send a revised message to the central server. In addition, the 
central server manages local updates, aggregates global models, and controls 
the collection of local updates and the distribution of global updates. After 
the central server receives a learning task, it can assign the task to a number 
of VNs to train the model locally and cooperatively. 

— Task Requester: In the VNets, each VN can be a task requester. If a task 
requester has a learning task that needs to be completed, it can publish the 
task to the central server. After the central server completes the learning task, 
the trained model then can be delivered to the task requester. 

— Vehicular Nodes: Let J = {1,...,7,..., I } represent all the VNs in the VNets. 
For VN i, it can decide the price of its data to execute the local training based 
on the pricing model broadcasted by the central server. If the VN is selected 
by the central server to train the learning model, the reward will be paid to 
the VN after the learning task is completed. 
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2.2 Task Model 


The set of learning tasks in the VNets is denoted as R = {1,...,r,..., R}. For 
task r(r € R), it can be represented as 


r = (id,||des,-||reward,), (1) 


where id, is the unique identification of task r. des, is the description of task 
r. reward, is the reward for completing task r which is provided by the task 
requester. If a task requester intends to complete learning task r, it can deliver 
task r to the central server. Then the central server broadcasts a request message 
to the VNs in its communication coverage, shown as 


req, = (r||hr|/vF||E||B||Dr), (2) 


where h, is the machine learning model which is selected by the central server 
for task r. W® is the initial parameter of the machine learning model. E is the 
number of epochs. B is the local batch size used for local training. D, is the 
requested number of samples in each round for training the learning task. 


3 Value-Aware Collaborative Data Pricing for VFL 


In this section, we introduce the proposed value-aware collaborative data pricing 
scheme. 


3.1 Data Transaction Architecture 


The data transaction architecture designed for the VFL has the following steps. 


1) When a task requester has a task r to be completed, it first describes the 
detailed information of the task as a task requirement message and sends it 
to the central server. 

2) After receiving task r from the task requester, the central server initializes 
the parameters E, B, and %?. Meanwhile, the central server selects the 
machine learning model h, for training task r. 

3) Based on the information of the task request and the VNs, the central server 
starts to operate the coalition game. Specifically, for each VN i(i € J), it 
decides its data price based on the value of its data, where the price model 
is determined by the central server. Furthermore, it can form a coalition by 
itself to train the model individually or form a coalition with other VNs to 
increase its data value. The details of the designed coalition game among 
the VNs will be discussed in Section 4-A. 

4) Based on the data prices of different coalitions, the central server selects a 
group of coalitions to form the optimal coalition set (OCS) and complete the 
learning task collaboratively. The selection of the OCS will be introduced in 
Section 4-B. 
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5) After the central server determines the OCS, it broadcasts the task request 
message and the determined OCS to the VNs within its communication 
coverage. 

Once a VN receives the OCS, it then starts to execute the K rounds learning 
task if the VN is a member of the OCS. Specifically, for round k(1 < k < K), 
the VNs in the OCS train the local model with their data sets. The purpose 
of local training is to minimize the loss function of task r. For VN i, the 
samples in its data set are denoted as D; = {1,...,di,...,D;}, where d; is a 
pair of input and output {2a,, Yd: } Therefore, the loss function of sample 
d; can be defined as fa, (£a; Yai, YE). 

Denote by S} = {S}, 97,- S7} the set of coalitions in the OCS. Then, 
the samples in the data set of ihe VNs in coalition 87 can be expressed as 
Ds: = J eg» Di. Similarly, we can define the loss funciion of coalition Sj 


aD 
Ww 


with data set Ds: shown as 


dE Da» fa; (Bass Ydi» wr) 
j 
? 
|Ds;| 


fs: (Zai, Yai, VË) = (3) 


where |Dsy is the number of samples in Ds». 

Based on the loss function of the task, we then introduce the optimization 
process to find the parameter of (3) with the target of minimizing the value 
of the loss function. 

Similar to [14], we use the Mini-Batch Gradient Descent (MBGD) as the 
optimization method. The strategy of the MBGD is to reduce the value 
of loss function along the direction of gradient descent. For each epoch, 


|Ds»| 
there are [ 5 ] iterations. Each iteration uses B samples to update the 
parameters. Therefore, the number of local updates of coalition 5} is E x 
IDss| 
B ` eae . . 
Then, we update the local model of coalition S; according to the gradient, 


where the local update can be defined as 
br =p — neVe). (4) 


In (4), YET! is the local model of coalition Sj in the k-1th round. nk is the 
learning rate (step size), V(w-') is the gradient of w*-!. 

7) For each VN in the OCS, it sends the local update to the central server if 
the local training is completed. 

8) The central server aggregates the local updates received from the VNs into 
a new global model Y*. We have 


s5 ID 
Ss 
w= Sf. (5) 
© S* r 
St=1 dist=11Ds;| 


9) The central server sends the newly formed global model to the VNs in the 
OCS. 
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10) After the VNs in the OCS receive the global model, the k+1th round starts. 
Repeat the above training process until the given precision or the maximum 
number of iterations is reached, ending the execution process of the learning 
task. 


4 Game Analysis 


In this section, we first introduce the value of data. Then, we design the coali- 
tion game to formulate the interactions among VNs to maximize their utilities, 
followed by the coalition selection mechanism to form the OCS. 


4.1 Value of Data 


In the VFL, VNs with different data values have different contributions to the 
global model training. In other words, the contribution of nodes is related to the 
value of data. In general, the data owned by different VNs are heterogeneous. 
Therefore, we define the data value by jointly considering two factors, i.e., non- 
IID and AoD. 


- non-IID: Based on the studies in [9], the average earth mover’s distance 
(EMD) can be used to measure the heterogeneity of data distribution among 
different VNs. Considering the data sample {4a,, Ya; } follows the distribution 
P, we define the non-IID of coalition S; as 


Y 
EMDs, © X _\lps,(y = © — p(y = oll, (6) 


c=1 


where y is the label of sample, and y = {0,1,...,Y}. ps,(y = c) is the propor- 
tion of data with label c in coalition S,’s data and p(y = c) is the proportion 
of data with label c owned by all the VNs. It can be seen from (6) that a high 
EMD value can result in a high non-IID degree of data. 
In order to make EMD and AoD in the same order of magnitude, we adopt 
the min-max normalization to convert the range of EMD values to [0, 1]. The 
minimum value of EMD is 0. Therefore, (6) can be rewritten as 
EMDs, — min(EMD) EMDs, 
EMDs, = i -= ——— (7) 
7 max(BMD)—-min(hMD)  max(£MD) 
Dells, (y = 0) — ply a 


max(||ps; (y = ¢) — p(y = ©)||) * 


— AoD: AoD can be used to evaluate the freshness of data [15]. For coalition 
Sj, the AoD can be defined by 


|Di| 
AoDs, = = (8) 
2 Xics, (Dil ID 


where A; is the AoD of data set owned by VN i, A; € [0, 1]. 
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— Data value: We measure the value of data by its heterogeneity and age. In 
this way, based on the non-IID and AoD of the data owned by different VNs, 
the value of the data owned by coalition S; can be expressed as 


p l1-p 
Ds, = log(1 
VoDs, = log( EM Ds, F 0 (9) 


pein e eS E E 
Delles, u = ¢) — plu = o)l| 
tobe). 


ae Pil a. 
iESi Dies, Di —t 


where p is used to balance the importance of the non-IID and the AoD. 


4.2 Coalition Game 


1) Definition: a coalition game can be expressed as [I,V(S,;)] where I is a set 
of VNs which take part in the coalition game, S; is an arbitrary subset of J, 
and V(S;) is the characteristic function of coalition Sj. 

2) Characteristic function: In the game, the characteristic function V(S;) rep- 
resents the utility of the coalition. The data value and data volume of the 
coalition will affect the global model of VFL. Therefore, we can define the 
utility of the coalition by 


Vs, = ar log(1 + VoDsg,) * |Ds,| (10) 


p Lap 
Ds, 
EM Ds, eps 83) 


=a, log(1 + log(1 + 


where a, is the basic price of task r. log(1+VoDg,) is the unit price of data. 
3) Game rules: The rules of the coalition game consist of coalition conditions 
and coalition principles. 

— Coalition conditions: Considering that VN i is in coalition S; and 
intends to split from this coalition and merge in coalition Sj. It can join 
coalition Sj», if the following two conditions are satisfied. 

For VN i, the utility after the node merge in the new coalition Sj is 
larger than the utility of the node in coalition Sj. We have 


Ui(V (Szr U {i})) > U(V (Sy )). (11) 


The utility obtained by each VN after VN i merged in coalition Sj is 
no less than the utility obtained by the VN in this coalition. It can be 
expressed as 


Uy (V (Szr U {i})) > Ur (V (S37), € Sy. (12) 
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4) 


- Coalition principles: Given the coalition structure S = {S},...,.55/,..., 
Sj, +5957, +, Sz}, if VN i switches from coalition S% to coalition S7 , the 
coalition structure can be updated by 


Sj $=; Sir \ {i}, Sin <— Sin U {i}. (13) 


Node utility: If VN i in coalition S; participates in this round of federated 
learning training and contributes to the global model, it will obtain the cor- 
responding reward. Because the data value of different nodes is not the same, 
the contribution to the whole coalition is different. Therefore, we can cal- 
culate the utility of each VN in the coalition based on its contribution. We 
have 


Ui(V(S5)) = V (S3) — V (5; \ i). (14) 
Therefore, the utility model of the VN can be defined as: 


Ui(V(S3)) i € 95, 
U: = eooo (15) 


where {i} is the coalition consisting VN i itself. 
Game equilibrium: We can know from the game rules that each VN needs 
to operate some switches to find its coalition. Therefore, we use the iterative 
method to design a distributed coalition formation algorithm for finding the 
equilibrium of the coalition game [16]. The algorithm makes the coalition 
structure stable through the VNs continuously joining a coalition and leaving 
a coalition. 
Coalition formation process: In the process of data transaction, each node 
tries to merge to form a coalition according to the coalition conditions and 
coalition principles, and finally forms a stable coalition structure through 
multiple rounds of the coalition formation process. The process of coalition 
formation can be described as follows. 
— Initial coalition: The nodes are divided into J coalitions, where each 
coalition has only one VN. The initial coalition structure can be given by 
S =d Siea Dey wy SZ} = le tthe {ETH 
- Coalition formation: For VN i(i € S;), there is a candidate coalition 
sequence SQ; that includes the remaining coalitions except S;, shown as 


SQ: = {515-187 — 1,55 +1, .-, SI}. a) 


Based on (16), VN į selects a coalition from SQ; in turn. If the coalition 
conditions are satisfied, VN 7 merges in the coalition according to the 
coalition principles. In this way, each VN is analyzed by coalition game 
in turn until the stable coalition structure is achieved. 


4.3 Coalition Selection 


In the data transaction process, the central server intends to obtain the highest 
quality data with the lowest rewards. Therefore, we define the coalition type by 
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considering value of data and price of data to help the central server make a 
decision. 

Coalition type: The coalition type represents central server’s preference for 
coalitions. The higher order of the type of Sj implies that the coalition has a 
larger possibility to contribute its data. Then, the type of coalition Sj can be 
defined as 


TY PEs, = log(1 + VoDs,/V(S;)). (17) 


Coalition selection mechanism: When the coalition structure is stable, there 
are J* coalitions. Sort by the coalitions based on the type in ascending order: 
Sı > S2 >... > Sj». Central server selects the coalitions to join the training. 
There are two cases to form the OCS. First, if D, < Ds;, the central server 
selects D, data from this coalition, we have Ds, = D». In this case, the coalition 
provides D, data to train the global model. Second, if D, > Ds,, we have 
D, = D, — Ds,. Namely, this coalition provides all data to train the global 
model. Repeat this process until we have D, < Dg,. Then, the case is similar to 
case 1. 


5 Simulation Results 
In this section, the performance of the proposed scheme is evaluated by using a 


simulator in Matlab. We first introduce the simulation setup and then show the 
simulation results and discussions. 
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Fig. 2. Average utility of VNs by changing the EMD parameter p. 
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5.1 Simulation Setup 


In our simulation, we consider an image classification task. The data set used in 
our simulation is Cifar-10 data set. Cifar-10 is divided into 5 batch training sets 
and 1 batch-test set, where the data set contains 10 labels: airport, automobile, 
bird, cat, deer, dog, frog, horse, ship, and truck. Each image belongs to one of 
the labels. The occurrence probability of each category of images is essentially 
equal. Each VN randomly extracts a fragment as its own data set. The values 
of p and a, are 0.5 and 0.1, respectively. With this scenario, we evaluate the 
proposed scheme by changing the values of p and the number of VNs in the 
VNets. The performance of our proposed scheme is evaluated by comparing 
with the following conventional schemes. 


— Non-cooperation scheme (NCS): In this scheme, all the VNs provide their 
data to train the learning model independently. 

— Big coalition scheme (BCS): In this scheme, all the VNs form a big coalition 
and provide their data to complete the learning task collaboratively. 


5.2 Simulation Results 


Figure 2 is the average utility of VNs by changing the EMD parameter. As shown 
in Fig. 2, we can see that the proposed scheme can bring a higher utility to the 
VNs than the conventional schemes. This is because the proposed scheme allows 
VNs to form distributed coalitions to maximize their utility. In addition, it can 
be seen in this figure, the average utility of the VNs increases with the increase of 
p. The reason for this is that the importance of EMD increases with the increase 
of p. As a result, the value of data increases and the utility of VNs increases. 
Figure 3 is the average utility of VNs by changing the number of VNs par- 
ticipating in the learning process. From this figure, we can see that the utility 
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Fig. 3. Average utility of VNs by changing the number of VNs. 
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of VNs in the NCS is almost stable. In addition, as we can see in this figure, the 
utility of VNs increases with the increase of the number of VNs in the BCS and 
the proposal. This is because the increase of nodes promotes the variability of the 
coalition structure, where the probability of the coalition with low heterogeneity 
becomes high. 


6 Conclusion 


In this paper, we have proposed a value-aware data pricing scheme to facilitate 
the VFL in VNets. In the scheme, we have designed a novel data transaction 
architecture based on the value of data and the cooperation among VNs. Then, 
by considering the non-IID and AoD, we have developed a value model to eval- 
uate the quality of data. Next, with different values of data owned by different 
VNs, a distributed coalition formation game has been designed to promote coop- 
eration among VNs, where the equilibrium of coalition game has been obtained 
by designing a coalition formation algorithm. Simulation results have demon- 
strated that the proposed scheme can achieve the optimal strategy for VNs and 
outperform the conventional schemes in terms of the average utility obtained by 
VNs. For future work, the integration of blockchain and the proposed scheme 
will be considered to guarantee the security of the VFL in VNets. 
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Abstract. The location awareness capabilities of edge computing (EC) 
contains large quantity of the physical devices with short coverage range. 
The possibilities of the potential private data attacks from adversaries 
increases dramatically through easily accessible location information. 
The existing research on privacy-preserving schemes cannot meet var- 
ious privacy-preserving expectations in practice for EC variants. In this 
paper, we proposed a dual scheme customizable e-differential privacy 
preservation to provide comprehensive protection. We establish the first 
scheme by clustering Edge Nodes (ENs) with SDN-enabled EC where 
SDN enables the capabilities of the programmability. In addition, we 
customize the e-differential privacy preservation scheme for variant EC 
services with the employment of modified Laplacian mechanism to gen- 
erate noise, where the optimal tradeoff been found. The extensive exper- 
iments results demonstrate the significance of the proposed model in 
terms of privacy protection level and data utility, respectively. 


Keywords: Edge computing - Privacy-preserving - Software defined 
network - Differential privacy - Location-aware application 


1 Introduction 


The Internet of Things (IoTs) is advancing at a breakneck pace, and connection 
between things is becoming more pervasive [3,7]. Increasingly more objects are 
becoming intelligent as they are capable of seeing their surroundings, connecting 
to the internet, and receiving instructions remotely. These intelligence of the 
objects are derived from data, analysis, and input from a variety of systems or 
servers connected to a variety of mobile devices [4]. 

The wireless and decentralized properties of ENs are vulnerable to adver- 
saries in the actual application process of edge computing (EC), resulting in 
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major location-aware privacy disclosure vulnerabilities [14]. EC enables compu- 
tation to take place closer to the user [17]. It evaluates data locally and makes 
decisions based on it. It decreases the danger of privacy leakage by avoiding 
long-distance data transfer in the network to certain extent [27]. However, a 
substantial amount of sensitive private data can be retrieved since attackers can 
easily access real-time data received by ENs. Higher criteria for privacy pro- 
tection techniques in EC have been recommended as a result of methodologies 
that assure users can utilise the service without revealing their sensitive location 
data [19]. Traditional privacy-preserving solutions are impractical for directly 
addressing the highlighted problem in an effective manner, despite certain exist- 
ing privacy-preserving models or algorithms being presented [9]. Furthermore, 
the location privacy disclosure concern identified in EC will have a significant 
impact on EC application development. It is critical to investigate location-aware 
privacy preserving solutions for massive EC applications based on location. 

Motivated by this, to establish an optimal trade-off on data utilities with a 
sufficient accuracy and efficiency, we offer a dual-scheme e-customised differen- 
tial privacy model (DDSDP) based on software-defined EC (SD-EC) services. 
SD-EC increases the network’s privacy protection capabilities by allowing it to 
be programmed flexibly and dynamically [11,18]. First, we initiate the EN clus- 
tering method. This strategy connects users to EC services through a group of 
ENs rather than a single reliable service provider, while also increasing the com- 
plexity of attacking targets for adversaries. Furthermore, the measurements of 
e-customised differential privacy was determined by the distance between ENs 
cluster. To quantify data utilities and privacy protection levels, we create a 
QoS-based mapping function. Our thorough studies illustrate the efficiency and 
accuracy in real time. 

The contributions of this paper can be summarized as follows: 


— We offer a dual-scheme e-customized differential privacy model to retain 
location-aware private data for users. In addition, to offer first scheme pro- 
tection for location-aware data from users to ENs, we consider a dynamic 
clustering strategy. This protects against frontal attacks from adaptable foes. 
Furthermore, We adapt Affinity Propagation methods to boost the effective- 
ness of the clustering scheme while retaining the greatest degree of privacy 
protection. 

— We designate our second approach as the e-customized protection model with 
modified Laplacian mechanism by providing noise to the clustered EN. More- 
over, we developed a QoS-based mechanism to measure the distance between 
privacy levels. DDSDP seeks to enhance the utilities of data while minimising 
privacy costs. 

— To illustrate the proposed models, we perform extensive experiments based 
on real-world dataset. The evaluation results reveal notable significant per- 
formances in data utilities and privacy protection level. 


This paper is organized as following. Section2 summarizes the existing 
research on EC and related privacy protection approaches. The attacking for- 
mulation with two popular attack methods is analyzed in Sect.3. Section 4 
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formulates our proposed DDSDP model in both schemes. Section5 performs 
evaluation results from our extensive experiments by using the DDSDP protec- 
tion model. Finally, summarization and future works are discussed in Sect. 6. 


2 Related Work 


EC benefits from dense geographical dispersion, which accomplished by installing 
ENs in multiple locations and interconnecting each of the nodes to end devices 
[22]. Moreover, the geographic dispersion of the ENs enables location mobility 
for IoTs devices, obviating the requirement for devices to traverse the entire 
network [10]. Besides the tangible benefits of EC’s location-aware capabilities, 
the most immediate challenge is the preservation of users’ privacy when it relates 
to geographical location data. 

The user in the EC environment are not expected to reveal actual location 
to attackers when obtaining services. Location-aware data includes not only the 
current specific location, but also the contents of the EN that are saved and 
processed in EC, such as movement patterns and behavioural patterns. Indeed, 
the dimensionality to which location-aware privacy protection and Quality of 
Service(QoS) are the result of a sequence of antagonistic connections [8]. Current 
research on location-aware privacy protection technology for EC is primarily 
concentrated on two aspects: 1) the the models of privacy-preserving that utilises 
reputable third-party entities [24], and 2) the data anonymization technique [16]. 

Moreover, J. Kang [13] proposed privacy-preserving pseudonym method 
which addressed privacy concerns associated with location-based EC internet 
vehicles. While these solutions provide acceptable performance, they are more 
concerned with maintaining a stable network state than with dynamic and tai- 
lored EC restrictions. Lyu [15] performed extensive research on the tailored 
epsilon-differential privacy-preserving technique [12], which Qu [20], Badsha [2], 
and Wang Wang [25] all effectively demonstrated. These strategies are very suc- 
cessful in social networks, recommendation systems, and location-aware apps. 
They are theoretically sound and include strong privacy safeguards [23]. 

Furthermore, we examine two typical attack vectors that adversaries are 
commonly using to target sensitive location data in the EC. 


Wormhole Attacks. This type of attacks are very hazardous since they may occur 
even when all parties to the communication guarantee the message’s validity and 
secrecy. The attacker creates a secret channel between two cooperating malicious 
nodes with the intent of transferring data groups acquired at one network point 
to another. J. Zhang et al. [28] developed the grid clustering routing method 
(FGC) to protect against wormhole attacks, and it is currently extensively used 
in industrial IoT. 


DDoS Attack. Another popular attack technique in SDN-enabled EC is the 
DDoS assault, which targets the communication layer. According to the loca- 
tion service provider, it prevents radio signals from being transmitted [21,26]. 
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The literature has examined the feasibility and efficacy of DDoS attacks against 
a variety of transport protocols, including Bluetooth [5]. Along with active inter- 
fering attacks, the adversaries may conduct a denial-of-service (DoS) attack by 
installing a malicious device or router that intentionally violates the communi- 
cation protocol in order to cause conflicts or disrupt communication. 


3 Formulation of Adversaries Attack in Location-Aware 


The volume of information that attackers may extract from the location-aware 
privacy data for the users after its broadcasting influences the effectiveness of the 
adversary attack model in the EC. The location data captured by the adversaries 
from user encapsulated within the context of a collection of spatiotemporal data 
{r:r = (P,t)}, where r determined a single adversary-collected location data, 
and P defined the specific location of the user, and the accurate timing of the 
collection determined as t. Moreover, the disclosure of sensitive location data 
is structured as a set of {51, 52, ..., Sn}, where Sn denotes the nth position after 
numbering. 

Adversaries can deduce users’ privacy information based on location data by 
predicting the probability p when user is in a sensitive location s; at time t. We 
describe location data that users supply at any point in time t where it does not 
reveal the @ privacy of users in a sensitive location. Therefore, it will quantify 
the adversary location data collection in order to identify the user in a specified 
sensitive location information. 


Definition 1 (Location-Aware Data Privacy) 


In any time t’, it represents the rate of probability for each user at the time of t’ 
at location s;, we use P {ui \. We also use Ld; to represent the data at specific 


location which collected by attackers at certain time t. As a result, we have 
pfu" |L- P{U"} <o (1) 


where 0 denotes the user’s privacy requirement, P fu” | Ly} denotes that 


the adversary acquires location data subsequent to the user at time t and eval- 
uates the posterior probability of the user being in a vulnerable position s; at 
specific time t’, and P{U;} denotes the adversary’s prior probability of specu- 
lating that the user is in a perilous position s;. According to Def 1, the adver- 
sary’s collection of user location data cannot surpass @ in order for the attacker 
to deduce the user’s sensitive location. Therefore, after aggregating the posi- 
tion sequence from the users, the discrepancy in probability values between 
the posterior and prior probabilities of the user being in a specific sensitive 
position at a given moment is less than 0. At each moment t’, the adversary 
has -P fur} logP fur} of previous knowledge about the user’s location. 
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Thus, the amount of sensitive user location data exposed to attackers in ENs 
can be estimated as follows: 


Comp(s) = 2r fur} logP fur} 
— Sop {ui" | L} logP {U" | L} 


As defined in Definition 1, a privacy-preserving technique that meets 0 pri- 
vacy may guarantee the quantity of information included in the published data 
in the EN is less than n8, where n is the quantity of sensitive locations. At any 
point in time, users with strict privacy needs may set theta to 0. As a conse- 
quence, users must ensure the location data they post does not jeopardise their 
0 privacy in any sensitive location. They only need to adhere to the 2 standard 
of the privacy level. 


(2) 


4 System Modeling and Analysis 


Figure 1 illustrates the proposed DDSDP model utilised in the SDN-enabled 
EC service. Both schemes secure the data privacy in location-aware applications 
between users and ENs. We begin with a customized SDN control layer. This 
novel control layer attempts to offer a real-time clustering solution. It uses the 
modified affinity propagation (AP) clustering technique. As the clusters are con- 
stantly updated, attackers cannot identify the source of the first connected EN. 
As a result, clustering protects privacy. The security level is also increased by 
modifying the Laplacian mechanism. We utilise QoS mapping to assess data util- 
ity and privacy protection. Thus, SDN-enabled EC services provide the highest 
privacy level and data utility protection. 


Fig. 1. DDSDP framework in SD-enabled EC. 
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4.1 Edge Nodes (ENs) Clustering Modelling 


We use EN clustering to conceal the real position data from users in the first 
scheme of proposed DDSDP model. This preservation approach successfully 
avoids the opponent from quickly invading and allows for more complex attack 
measures. Each cluster is composed of at least two or more ENs. Instead of direct 
connections, users are assigned to EN clusters that span a larger region under 
the adversary attacking paradigm. Adversaries need necessary analytical stages 
as precise selection gets increasingly difficult. 


Weight Factors and Unification Process. Distance-based location is a popular 
location-aware privacy-preserving technique in EC. We determine the distance 
based on the user situation by analysing the arrival time and the its differ- 
ence between the arrivals. Typically, each EN calculates the user position via 
a distance-based location method. If location information is exposed, user pri- 
vacy will be jeopardised. Moreover, in order to establish the current location of 
the user, the selected EN must be aware of the location of each reference node. 
The geolocation information for the reference node are revealed if the adversary 
perform spoofing on the location data and other attacks against the reference 
node. 

We calculated the position distances between specified ENs and the initial 
anchor node using the matrix S where S = SÌ, S2, S3, S} denotes distinct factors 
associated with the same EN, whereas the elements S = S{, $7, 93, S% denotes 
the same factor for all ENs. As a result, we construct the matrix as 


si sh sh... 8h 
S? 5? 52... 83 


S? SF 9$... S9 


S= (3) 


ENs have a variety of indices based on their features, such as access points and 
servers. Before the aggregate indicator can be computed, a unification procedure 
is needed to identify the distances. To address the issue of differing absolute 
values for various indices, the absolute values must be transformed to relative 
values. S’ denotes the matrix S after the unification procedure. 


1 
si S2 S3 55 
#1 81 1 83 1 93 1 58 
2 2 2 
Si So ` S3 Si 
a gi a gi a ge a gi 
i=1 91 i=1 92 i=1 93 i=1 
S = å (4) 
Sie SNe. aS eae 
i=1 Si i1 52 i=1 93 i=1 Si 


Cluster Triggering Process. Primarily, all ENs are geographically allocated. 
When the potential attacks are detected, we initially propose a cluster triggering 
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technique by allocating measurements according to the entropy weight determi- 
nation. The EWM’s fundamental premise is to derive objective weights of certain 
variables. The EWM determine the weight of each element in each factor of the 
attacking formulation. In general, lower ef value indicates the importance of the 
element including dataInformation, quantity of the data, and therefore merits a 
greater weight in the relevant factor. In comparison, a higher entropy ef implies 
that an element has a lower value, offers less information, and contributes less 
to the overall assessment, and therefore should have a lower weight. Due to the 
unification procedure, the weight factor for each component j in each dimension 
i must be computed, where j = 1,2,3,...,m, and i = 1,2,3,...,n. 


1 
pei PD 
ij a n 
iat Tij 


Each factor j must have an entropy value computed, where j = 1,2,3,...,m. 
k = 1/ln(n) > 0 in this case, and e; >= 0. 


(5) 


ej = —k X pa In pij (6) 
i= 


A redundancy rate is determined throughout this procedure to minimise 
variance. The redundancy rate for j = 1,2,...,m is dj = 1 — e;. Following the 
redundancy correction, the following weight factors are calculated: 


TEGA ) 


After assigning weights towards each element per dimension, the clustering 
procedure is carried out by the weight factors. Assume that t+ is the threshold 
value for clustering that is dependent on the edge network’s distance. Tig is 
the outcome of the triggering process and is determined by the weight factor 
computed for each element. Clustering process is defined by the unique EN 
factor abstracted with the maximum value. 


1 si 
TL = ae X ty 
a ea 
si 
T? =; 2 = OX ti 
i D S3 i 
Si 
TË = B x ti 
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4.2 Affinity Propagation-Based Clustering 


On the basis of a modified AP mechanism, we develop a clustering model. AP 
is a semisupervised clustering method based on closest neighbour propagation 
developed by Frey et al. [6]. In comparison with other clustering techniques, 
AP does not need a final number of clusters to be specified. Rather of creating 
new data points, the cluster centres are chosen using existing geographical data 
points. AP approach is less reliant on the initial location information input and 
does not require a symmetric data similarity matrix. In EC, the input data may 
be of various types as a result of our triggering mechanisms weight factor-based 
selections. As a result, the AP method is the optimal choice for grouping ENs. 


Preference. We begin by examining the parameter for the preferences. The sim- 
ilarity between each cluster centres is stated as sim(d,p), which reflects the 
similarities between the data points p and d. The Euclidean distance is used to 
determine this similarity: 


sim(d, p) = 


Responsibility. sim(d, p) indicates the degree to which data point p is appropriate 
for designation as the cluster centre for data point d and represents a message 
sent from d to p, where p € 1,2...,N and p Æ p'. 


r(d, p) = (s(d,p) — maa {a(d, p') + sim(d, p')}) x Trg (10) 


where a(d,p’) is the value showing the accessibility of point i to all points 
except kwith a starting value of 0. s(d, j) denotes the responsibility of a point 
by points other than p, where points other than d are in rivalry with d for 
ownership. r(d, p) denotes p’s cumulative duty to act as the cluster centre for d. 
When r(d,p) > 0, it indicates that p has a greater responsibility to act as the 
cluster centre. 


Availability. To analysis the availability aggregration, a(d, p) indicates the prob- 
ability that data point d should always choose data point p as its cluster centre 
and is equivalent to a message delivered from p to d. 


a(d, p) = min forar) + 5 (mastona) } x Tig (11) 


alp, p') = (X {maz(0, r(d', p))}) x Trg (12) 


where r(d’, p) indicates the responsibility value of point p as the cluster centre 
for points other than d. We aggregate all responsibility values greater than or 
equal to 0, and we also include the responsibility value p as a cluster centre in its 
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own right. Specifically, all data points with matching responsibility values larger 
than 0 support point p, and data point d chooses p as a cluster centre based on 
its cumulative value. 


Damping Factor. A damping factor is used as the algorithm repeatedly updates 
the availability and responsibility values. This factor A enables the AP method 
to converge more quickly. The damping factor may take on values ranging from 
0 to 1. À operates on the responsibility and availability values throughout each 
iteration of the algorithm to weight the update in relation to the previous iter- 
ation. 

dn = (1—A) xX dn $A X Tn-1 (13) 


Pn = (1 — A) X Pn +À X Pn-1 (14) 


4.3 e-Customized Differential Scheme 


Each user in EC exposes their sensitive location data during connection estab- 
lishment. However, before this location data is released, it must be protected 
from disclosure. We developed the first clustering method in order to enhance 
the difficulty level when an opponent intends to attack. Additionally, the model 
secures the released data with a tailored degree of protection based on the clus- 
ter distances. Additionally, our second scheme seeks to offer consumers with the 
utmost in privacy protection. To get the greatest protection, we compromised 
e-customized differential privacy and introduced Laplacian noise to the cluster. 


QoS Data Utility Mapping. The previous paragraph specified the distance 
between each cluster as sim(i, k), and the Softmax function was utilised to 
describe the data utility with QoS and privacy preservation level as e in the 
DDSDP model. In a multi-class problem, the Softmax function assigns decimal 
probability to each class. Moreover, it is often used to visualise the utility of data 
and the level of privacy protection provided by the QoS mapping. The mapping 
function is represented as follows: 


exp(O) simi + £) 


QoS(e;) = k x 
(s) Sý exp(0t simip - 2) 


(15) 


where k € K is the parameter used to modify the maximum amplitude value, 
0 indicates the curve’s steepness, and x indicates the position. 


Laplacian Mechanism and Laplacian Noise. On preserve anonymity of location, 
we use probabilistic clustering to the initial results of the single clustering query. 
To protect users’ privacy when it comes to location-aware information, we utilise 
the Laplacian technique to change the actual value by adding Laplacian noise to 
the original clustering result data, guaranteeing differential privacy both before 
and after noise addition. 
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M(D) = f(D) +Y 
s.t. 
ell f(a) — Flu) Il ee 
AF 


Px(2) 


Py (2) 


where e specifies the privacy budget and € may be adjusted to obtain a better 
privacy budget outcome owing to the clustering requirement. The Laplacian dis- 
tributed noise is determined by Y. Lap(a) denotes the mechanism’s probability 
density, while a denotes the noise’s magnitude. 


Lap(a) = 


) 


= exp( 


e-Customizable Differential Privacy Formulation. To prevent data release in ENs, 
we model the ¢-customized differential privacy method. We map the privacy pro- 
tection level using the clustering method and multihop with QoS. Users submit 
sensitive location data under the EC clustering paradigm. These data must be 
protected against attackers. ENs also vary in capacity and processing capability. 
As a result, we construct the second scheme as follows. 

We utilise «customizable differential privacy. In the case of M — 0(x), we 
defined the mechanism as follows: 


Pr [M(D) € Q] = exp(QoS(e;)) - Pr [M(D’) € 9] 


exp(O) simi - £) 


= exp(k x -Pr{[M(D') EQ 
( exp (OL simix Fy, ee | 
s.t. 

VQ C x, 


Y(D, D’) € Y, 


where y represents the result of the nosied location and D denotes the loca- 
tion sensitive data’s storage space. € > 0 signifies the proximal relationship 
between the data, and y C V(D,D’) C w denotes the proximal relationship 
between the data. We treat D, and Dı as changeable datasets to allow the 
proposed model to include additional dynamic characteristics. 

Three criteria are defined in order to undermine the configurable privacy 
protection approach and clustering model. Initial e-customizable protection is 
provided by the first qualifier. Each piece of sensitive location data is referred to 
as p;, and e( E) should be fulfilled by anticipations {y;,} from pp. The second 
qualification’s purpose is to specify a maximum degree of privacy protection for 
the upper bound EN which where the sources are. 

The second requirement specifies the degree of privacy protection that the 
upper limit EN should be maximum. As stated above, the composition in its 
entirety represented as: 


com(e) = 5 Mold) (18) 


t=1,kA1 k 
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In the third qualification, we optimise user-published data utilities. The 
response of the real output xq should be the most accurate noisy n from mech- 
anism M. Additionally, various approximations {Yap} result in a range of data 
utility optimisation values. Thus, we can represent the total usefulness of the 


data as follows: 
n n 
2 
YS Ell yap — 2% Ilo (19) 
d=1 p#1 
Thus, optimal tradeoffs will be evaluated based on the anticipated greatest 
degree of privacy protection and lowest data usefulness. 


exp(6)simix + £) 


Sý exp(0t simip -x) 
n,n 


SO Mold >) < marMp(~)) (20) 


ik dik 


c=kx 


n n 


YDE] Yik — Ti \|3 > min( DU) 


i=1 k£1 


5 Performance Evaluation 


To evaluate the performance of our proposed DDSDP model, we examine a series 
of simulations in this section. We first assess data utilities by sampling time 
periods at various places, then privacy protection levels at different locations. 
Finally, the experiment assesses the clustering approach’s performance, including 
clustering, transmission and loading outcomes for the total ENs. We used the 
VicFreeWiFi Access Point Locations dataset [1] to validate these findings. The 
dataset covers over 300 kms distances geographically and minimum of 250 MB 
data flow per device every day. In the dataset, it contains 391 nodes are located 
in the city centre, 44 nodes are located in the northbound zone, and 82 nodes 
are located in the west-northbound region. This data impairs adversaries ability 
to identify the location of users. 

Due to the fact that SDN-enabled EC should allow more customization 
choices without sacrificing original performance, we begin by analysing clus- 
tering efficiency and evaluating network performance as a result of SDN-enabled 
clustering. Furthermore, we evaluate our DDSDP model against a range of e val- 
ues in order to optimise the e-specific differential privacy protection technique. 
Additionally, two additional methods are compared: classic customisable differ- 
ential privacy (CCDP) and classic e-differential privacy (CDP). In CDPs, the 
Laplacian process produces noise. The CCDP provides a customizable degree of 
privacy and adheres to Laplacian noise. 


5.1 Clustering Analysis 


Figure 2 illustrates the node clustering results from our DDSDP model’s initial 
scheme clustering technique. The expected number of clusters is 16, created from 
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517 accessible ENs. We assess system performance using three similarity values. 
The lowest similarity is 2.00000e-9, the median is 0.017874, and the highest is 
1.276488. Likelihood is dependent on location, length, and connection speed. The 
homogeneity rate is 0.513, which shows how closely related nodes are grouped. 
This dataset’s rate is heavily influenced by connection speed. It has a V-measure 
and completeness of 0.333 and an adjusted Rand index of 0.080. The first scheme 
clustering system produces excellent clustering results. 


+1.449e2 Estimated number of clusters: 16 


m 


-37.825 -37.820 -37.815 -37.810 -37.805 -37.800 


Fig. 2. Edge Node (EN) clustering results. 


5.2 Data Utilities Performance 


Figure 3 illustrate the outcomes of our DSDP data utilities. The figure depicts 
the overall QoS functionality. We compare our findings with raw data values for 
e€ = 0.1, € = 0.5, and € = 1, which makes it relevant to different situations. We 
begin by aggregating 20 clustered EC nodes based on QoS metrics derived from 
the distances between cluster. The Laplacian process generates a large amount 
of noise in the form of responses. As illustrated in the figure, decreasing the value 
of e results in improved overall data utility performance. When e = 0.1, we use 
clustering time slot 5 to achieve the peak value of 1.7. 


Data Utility 


—— Raw Data 
—e— Data Utility (e = 1) 

—— Data Utility (e = 0.5) 
—* Data Utility (e = 0.1) 


4 6 8 10 12 “o (16 18 20 
SamplingTime Slot with Different Location 


Fig. 3. Data utilities performance with three e values. 


Dual Scheme Privacy-Preserving in Edge Computing 313 


Furthermore, we examine various clustering scenarios in terms of privacy 
protection performance. To build up the customised €, we enable three sample 
parameter values from the data utilities evaluation. In order to mimic the Lapla- 
cian mechanism’s unpredictability, three e values were chosen. Figure 4 compares 
privacy protection levels in terms of configurable e. It achieves a maximum pri- 
vacy protection level of 1.5 while sampling time slot 7, while sampling time slot 
20 maintains the greatest degree of privacy protection. Although the performance 
for three parameters varies across clusters, it demonstrates the significance of 
customisation. Moreove, we set € = 1 for the cluster in time slot 4. 


—— Raw Data 

—S— Generated Data ( = 1) i 
—A Generated Data (e = 0.5)) | 
—% Generated Data (e = 0.1)| ;f 


Generated Data with Different Protection Levels 


n ST E 
Sampling Time Slot with Different Locations 


Fig. 4. Different locations privacy levels. 


5.3 Performances Against Attacking Scenarios 


Figure 5 demonstrates the performance level of privacy protection in a worm- 
hole attack scenario against solitary and clustered ENs. The DDSDP model is 
compared to the other two classic models. Two dotted green lines show the 
adversary’s data’s € value. A lower e results in greater privacy protection. Since 
our approach relies on e-customized differential privacy, a lower value of e indi- 
cates less data given to adversaries. € has two values. When (e = 0.45), the 
adversary can identify most of the location data and familiar with the other 
attacking models. (e = 2.05) is the point when CDP and CCDP are completely 
functioning and can offer comprehensive protection for consumers. All € values 
between the dashed green lines except DDSDP model provide optimum protec- 
tion. As a result, DDSDP can offer stronger protection strategies when assaults 
occur where CDP and CCDP suffer. 

Figure 6 illustrates the performance of proposed DDSDP model against a 
DDoS attack. We utilise € values of 0.45 and 2.05 from previous figures. Because 
the composition process is still free, CDP is unaffected by DDoS attacks. On top 
of that, the e rises from 0.45 for DDSDP and CCDP. However, DDSDP shows 
that two or more opponents will not collect any additional information following 
an assault. epsilon total = maximum e value at time of assault. As a result, 
the DDSDP model we presented above outperforms both common attacking 
techniques. 
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Fig. 5. Attacking Scenario 1: (a) Location data shared by multiple users to individual 
Edge Node (EN); (b) Location data shared by multiple users to clustered Edge Nodes 
(ENs). 
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Fig. 6. Attacking Scenario 2: (a) Location data shared by multiple users to individual 
Edge Nodes (ENs); (b) Location data shared by multiple users to clustered Edge Nodes 
(ENs). 


6 Conclusion and Future Works 


In this paper, we proposed a privacy protection mechanism (DDSD) for SDN- 
enabled EC. Our proposed model includes two schemes: SDN based cluster- 
ing EN and e-customized differential privacy to defend against two common 
attacker techniques. As a first step, we created our first clustering-based pro- 
tection system. As a result, attackers cannot identify the location data in the 
first place. Furthermore, we integrated e-customizable differential privacy model 
where adding noises into the SDN based EN cluster. Our extensive experimen- 
tal findings established that the proposed model and clustering approach not 
only exhibit high reliability in specified situations, but also offer configurable 
location-aware data privacy protection. More over, we consider to further opti- 
mize the data utilities and privacy loss by considering Markov Decision Process 
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(MDP) where will provide optimal tradeoff solutions. Moreover, reinforcement 
learning methods will also be tested to optimize the convergence speed. 
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Abstract. To prevent users from using Tor for anonymous communication, many 
regulatory agencies have blocked the IP addresses of public Tor routers in Tor 
networks, resulting in the interception of traffic to Tor public routers. Existing 
research solves this problem by introducing bridge nodes into the Tor network 
to avoid supervision: The bridge node is usually the entrance node of the Tor 
network, and its information is not completely public on the network, so it cannot 
be intercepted completely. This allows anonymous users to access the Tor network 
through the bridge node, which can effectively avoid Tor censorship. Nevertheless, 
many studies still focus on the discovery of Tor bridge nodes. The technology of 
bridge node discovery in Tor networks within recent years is summarized in this 


paper. 


Keywords: Tor networks - Bridge - Tor relay nodes 


1 Introduction 


A Tor network [1], as shown in Fig. 1, is an overlay anonymous network in which each 
Tor router runs as a normal user-level process without any special privileges. Each user 
runs local software called an onion proxy to fetch directories, establish circuits across 
the network, and handle connections from user applications. These onion proxies accept 
TCP streams and multiplex them across the circuits. The Tor router on the other side 
of the circuit connects to the requested destinations and relays data. A Tor network 
relies on onion routing to guarantee anonymity. Onion routing [1], as shown in Fig. 2, is 
a distributed overlay network protocol designed to anonymize TCP-based applications 
like web browsing, secure shell, and instant messaging. Clients choose a path through the 
network and build a circuit in which each onion router in the path knows its predecessor 
and successor but no other nodes in the circuit. 

Normal clients access the Tor core network directly through public Tor entry routers 
listed in the consensus file available at the official Tor website. To anonymously com- 
municate with a web server, a normal client uses source routing and chooses a series of 
onion routers (generally three) from a downloaded consensus file. The selected onion 
routers construct an anonymous path along which a circuit will be set up incrementally 
by applying onion routing. Figure | depicts a circuit created incrementally along the 
path Source —> Router A —> Router B — Router C. Here, Routers A, B, and C also refer 
to entry, middle, and exit nodes, respectively. 
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Fig. 1. Sample Tor circuit between source and destination. 


Tor has been commonly used for resisting various forms of censorship [2]. However, 
Tor uses source routing for communication privacy, and the information of all Tor routers 
is available to clients and publicly listed on the Internet [3]; thus, blocking Tor is as simple 
as blocking connections to those known Tor routers. To resist the censorship blocking 
of public Tor routers, bridges were introduced in Tor. A bridge can act as the first hop 
relaying user traffic into the core Tor network, i.e., entry node (Router A) in Fig. 1. 
The bridge information is not listed on the Internet. As described in [4], the bridge 
population significantly varies over time: It has steadily grown from 2.8K active public 
bridges in July 2012 to a maximum of 12.7K in July 2014; it began declining in January 
2015, falling to 5.3K by April 2016. A few bridge pools exist and some are stored on 
the bridge https and email servers. A user can access the bridge https server or send 
a Google/Yahoo email to the bridge email server to retrieve three bridges at one time. 
Bridges are also distributed through various social networks. 


Message 


Source 


Fig. 2. Tor onion routing, Routers A, B, and C correspond to those in Fig. 1, respectively. 
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For subjects such as blocking Tor, Tor censorship, finding available bridges, Tor net- 
work analysis, performance improvement, and bridge concealment, a number of studies 
have focused on bridge discovery. Although Arma presented 10 possible ways to obtain 
bridges on Tor’s official website [5], he did not describe the exact bridge acquisition 
method in detail. In this paper, a brief survey of bridge discovery with respect to bridge 
categories and discovery schemes is conducted. 


2 Background 


The components of Tor and bridges are reviewed in this section. As described in [6], a 
Tor client runs an onion proxy (OP) to anonymize the client data into Tor. Tor uses a 
multi-hop proxy mechanism to protect user communication privacy: The client first uses 
a weighted random routing algorithm to select three relay nodes from the consensus file 
as the Tor network entry, middle, and exit nodes and then establishes a circuit with these 
relay nodes hop by hop. As shown in Fig. 2, the client encapsulates the sent data with 
three-layer encryptions. In the process of data transmission, the entry, middle, and exit 
nodes sequentially decrypt and restore the plaintext and then send it to the destination. 
The client’s user privacy is guaranteed by using onion routing, under which any relay 
node cannot know the IP address of both the client and the destination server, and the 
client IP address is also unknown to the destination server. The public relay node list is 
stored in the accessible consensus file; therefore, to block Tor network communication, 
one only needs to block the IP address of the public relay node IP obtained from the 
accessible consensus file. Bridge nodes were introduced into the Tor project to resist 
such supervision. The Tor project provides all the source code of the Tor system. Users 
can create bridge nodes by downloading Tor source code and use bridge nodes instead 
of public relay nodes as entry nodes. Since the bridge node information is not accessible, 
under this situation, regulatory agencies cannot block Tor communication effectively. 
Bridge nodes are classified into two categories: public bridge nodes and private bridge 
nodes [4]. Public bridge node information is stored in the Tor network directory server, 
which only provides three public bridge nodes to a user at a time. Therefore, it is not 
easy to obtain the information of all bridge nodes. Of course, users can obtain a large 
amount of bridge node information through distributed enumeration. The private bridge 
node information is only kept by the creator and cannot be obtained by other users. 

Although Tor can use bridge nodes to circumvent the supervision based on IP block- 
ing, supervisors can still identify Tor traffic through deep packet inspection (DPI) tech- 
nology [7]. To make Tor communication characters fuzzy in using bridge node envi- 
ronments, a transmission plug-in called an obfs, or obfuscation, proxy was developed 
by the Tor project. The latest version of obfs4 [8] uses BridgeDB to implement key 
exchange based on bridge authentication. The client queries the bridge node through 
BridgeDB and obtains its IP address, node ID, and public key information. Only by 
matching these three conditions at the same time can it pass the identity verification of 
the obfs4 node and establish a connection. obfs4 not only effectively confuses Tor traffic 
but also realizes, with bridge authentication, that it can resist active detection attacks 
and man-in-the-middle attacks. 
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3 Bridge Discovery Schemes 


The discovery methods of bridge nodes are classified and summarized in this section. 
The specific methods are as follows. 


3.1 Normal Bridge Enumeration Mechanism 


Ling et al. elaborated on and verified the method of obtaining bridge node information 
in batches through email and http requests in [6]. An attacker can use a Yahoo or Gmail 
account to send an email to the bridge email server (bridges @torproject.org) with the 
line “get bridges” in the body of the mail. The bridge email server promptly replies 
with three distinct bridges. To avoid malicious enumeration, the bridge email server 
only replies with one email to an email account each day. Alternatively, the user can 
access the bridge website (https://lbridges.torproject.org) to obtain three bridges. To 
avoid malicious enumeration, the https server distributes three bridges to each 24-bit IP 
prefix each day as well. 

The authors verified the effectiveness of the above method of obtaining bridge nodes 
through emails and http requests. Since each mailbox can only obtain three bits of 
bridge node information per day, obtaining more bridge node information requires a large 
number of mailboxes to send bridge node request emails, but an IP address can only apply 
for one Yahoo mailbox. To solve this problem, the authors applied for Yahoo mailboxes 
through more than 500 PlanetLab nodes and also used more than 500 exit nodes of the 
Tor network as agents to apply for Yahoo mailboxes. In the end, the authors applied for 
more than 2,000 Yahoo mailboxes in total and enumerated more than 1,500 bridge nodes 
within 22 d through these mailboxes. In addition, the authors also used these PlanetLab 
nodes and Tor exit nodes to retrieve the bridges from the bridge website (https://lbr 
idges.torproject.org) and obtained more than 550 bridge nodes within 37 d. McLachlan 
described a similar method in [9]. The advantage of the above bridge node enumeration 
method is that the fingerprint information of the bridge node can be obtained. With 
the fingerprint information, these bridge nodes can be used to construct anonymous 
communication links for anonymous communication. To avoid the information of all 
bridge node being enumerated, the bridge website may only provide part of the bridge 
node information for users to obtain within a period of time. In addition, only public 
bridge nodes can be obtained in this way; private bridge nodes cannot be obtained using 
this method. 


3.2 Bridge Inference by Malicious Tor Middle Routers 


Ling et al. also described a method of using malicious middle nodes to infer bridge 
nodes in [6]. The anonymous circuit of the Tor network is composed of entry, middle, 
and exit nodes. The entry node may be a general public Tor router or a bridge node. The 
anonymous traffic received by the middle node comes from the entry node. A malicious 
middle node can obtain the IP addresses of all entry nodes by extracting the source IP 
of the received data packets. By excluding the IP addresses of the known public routers, 
an attacker obtains the IP information of the bridge nodes. This method requires that the 
middle node be a controlled node, and the identified bridge nodes only include those 
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transmitting anonymous communication traffic through the controlled middle node. To 
identify more bridge nodes, the controlled middle node must have a higher bandwidth 
to attract more anonymous communication traffic. 


3.3 Tor Bridge Discovery Through Internet-Wide Scans 


Ports 443 and 9001 are common ports for Tor bridges and relays, and the TLS protocol 
is used for encryption and authentication between bridges/relays. Based on the above 
characteristics, Durumeric ef al. [10] and Tsyrklevich [11] successively proposed a 
bridge node discovery method based on Internet-wide scans. Durumeric et al. exploited 
the ZMap tool to perform Internet-wide scans on ports 443 and 9001 and applied a set 
of heuristics to identify likely Tor nodes. For hosts with one of these ports open, they 
performed a TLS handshake using a specific set of cipher suites supported by Tor’s “v1 
handshake.” When a Tor relay receives this set of cipher suites, it will respond with a 
two-certificate chain. The signing (“Certificate Authority”) certificate is self-signed with 
the relay’s identity public key and uses a subject name of the form “CN = www.X.com,” 
where X is arandomized alpha-numeric string. This pattern matched 67,342 hosts on port 
443 and 2,952 hosts on port 9001. Durumeric et al. then calculated each host’s identity 
fingerprint and checked whether the SHA1 hash appeared in the public Tor metrics 
list for bridge pool assignments. Hosts that were found matched 1,170 unique bridge 
fingerprints on port 443 and 419 unique fingerprints on port 9001, with a combined 
total of 1,534 unique fingerprints (some were found on both ports). From the bridge 
pool assignment data, they found that 1,767—1,936 unique fingerprints were allocated at 
any given time in the recent past, which suggests that they were able to identify 79%- 
86% of allocated bridges at the time of the scan. The unmatched fingerprints in the Tor 
metrics list may correspond to bridges missed, offline bridges, or bridges configured to 
use a port other than 9001 or 443. Based on the work of Durumeric et al., Tsyrklevich 
[11] identified pluggable transport (PT) [4]-enabled bridges. A PT is just a wrapper 
for the Tor protocol that transforms the Tor traffic flowing between clients and bridges 
to prevent DPI attacks. Experimental results have also proven the effectiveness of the 
Internet-wide scan method in bridge recognition. Wilde also described a similar method 
in [12]. The advantage of the above method is that there is no need to deploy malicious 
Tor relay nodes. It only needs to detect the 443 and 9001 ports of a large number of IP 
addresses and further verify the detection results. The disadvantage of this method is its 
poor timeliness. Because the set of active bridges is constantly changing, the data would 
be stale by the time a long-running scan was complete. 


3.4 Tor Bridge Identification Through DPI 


In 2011, Iran added a filter rule to its border routers that recognized Tor traffic and 
blocked it. Arma investigated the situation in [13] and found the following. (1) Tor 
tries to make its traffic look like a web browser talking to a https web server, and the 
characteristic of Tor’s SSL handshake was the expiry time for SSL session certificates. 
(2) Tor’s SSL handshake rotates the session certificates every 2 h, whereas normal SSL 
certificates received from a certificate authority typically last a year or more. The fix was 
to simply write a larger expiration time on the certificates, so the current certificates in 
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use have more plausible expiry times. Another DPI-based method developed by Winter 
et al. [14] and Wilde [12] is to check a special cipher list in the Tor TLS handshake. The 
cipher list is part of the TLS client hello, which is sent by the Tor user to the relay or 
bridge after a TCP connection has been established. This particular cipher list appears 
to be unique to Tor: c0 0a cO 14 00 39 00 38 c0 Of c0 05 00 35 cO 07 c0 09 c0 11 c0 13 
00 33 00 32 c0 Oc c0 Oe c0 02 c0 04 00 04 00 05 00 2f c0 08 cO 12 00 16 00 13 c0 Od 
c0 03 fe ff 00 Oa 00 ff. Through these methods, a Tor TLS handshake can be detected, 
thereby determining whether the entry node is either a public relay or a bridge. 


3.5 Tor Bridge Detection Based on TCP SYN Connections 


Yang et al. [15] proposed a bridge detection method based on the following observa- 
tion: When connecting to a Tor network via bridges, the client first creates a series of 
non-blocking sockets and then connects those sockets one after another in a short period 
for establishing TCP connections to chosen bridges. The chosen bridges include two 
parts: bridges configured by users and bridges cached by Tor software. As with most 
applications, the Tor client does not bind pre-determined source ports for those con- 
nections. Conversely, it is the operating system that assigns ephemeral source ports for 
connections to chosen bridges. Such ephemeral source ports are usually consecutively 
allocated in widely used operating systems like Windows platforms. As a result, multiple 
SYN packets with consecutive source ports will be sent almost simultaneously, destined 
for different bridges. Therefore, if multiple SYN packets from the same IP address with 
consecutive source ports are observed, then the destination IPs are extracted, and, if at 
least one destination IP belongs to a known bridge set, then all the other destination IPs 
are inferred to be bridges. This is called the opportunism bridge detection method and 
requires a large known bridge set. 


3.6 Tor Bridge Detection Based on Flow Classification or Identification 


The idea of the bridge identification method based on Tor traffic classification and iden- 
tification is to identify Tor anonymous communication traffic, extract the source and 
destination IP addresses of the traffic at first, and then exclude the IP addresses of the 
known public routers from the accessible consensus file to obtain the bridge node infor- 
mation. Several studies have focused on Tor flow classification [16, 17]. In [16], Shahbar 
etal. aimed to analyze the amount of information that can be extracted from the encrypted 
Tor traffic without decrypting the traffic. They employed two different approaches for 
the classification of user activities. The first approach is flow level classification, and it 
depends on analyzing the TCP communication between the user and the Tor relay to 
predict the type of user activities in the encrypted traffic. The second approach is circuit- 
level classification. The encrypted circuits have characteristics that can be extracted and 
calculated to classify the type of traffic in the circuits. 

In [18], traffic analysis was used to discover the identity of the user using the Tor 
network. The analysis depends on the size of the packet transmitted on the network from 
the web server through the router to the user. Tor has a fixed cell size, but the packet size 
can vary. The authors of [18] used padding with one bit to mark the packets so that they 
could be traced back at the receiver side. They reported that 10 packets are enough to 
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get reasonable detection with a low number of false positives. The length of the padding 
will force the Tor router to use the known number of cells. The Tor cell size is 512 bytes, 
which means if the data size is more than 512 bytes, then it must be fragmented to fit 
into the cell size. This enabled the authors to mark the client receiving these cells as the 
client having access to the server. 

To avoid censorship, obfs4 has been widely deployed to obscure the flow between 
a Tor client and bridge. In [19], He et al. proposed a scheme for obfs4 traffic detection 
based on two-level filtering. They sequentially utilized coarse-grained fast filtering and 
fine-grained accurate identification to achieve high-precision, real-time recognition of 
obfs4 traffic. In the coarse-grained filtering phase, they used arandomness detection algo- 
rithm to detect the randomness of the handshake packet payload in the communication 
and used the timing-sequence characteristics of the packet in the handshake process to 
remove other interference traffic. In the fine-grained identification phase, they analyzed 
its statistical feature on a large amount of obfs4 traffic and used classification algo- 
rithms to identify the obfs4 traffic. Their experimental results show that the accuracy for 
identifying obfs4 traffic is above 99% when using a support-vector-machine algorithm, 
which indicates that obfs4 cannot effectively counteract traffic analysis attacks in prac- 
tical applications. Once an instance of obfs4 traffic was identified, the corresponding IP 
address could be further confirmed as whether it was a bridge based on the port. 

Through the above methods, one can first identify which users are using a Tor network 
for anonymous communication, then extract the destination IP addresses of anonymous 
traffic sent by these users, and finally remove public relays from them to obtain the 
bridge node information. 


4 Discussion 


Among the above studies on bridge recognition, only the bridge node information 
obtained based on http and e-mail requests described in [6] contains the fingerprint 
of the bridge nodes. According to the obtained bridge node fingerprint information, the 
obtained bridge node can be used to construct a circuit for anonymous communication. 
In addition, the connection configuration window of the Tor browser also provides the 
function of obtaining three bridge nodes and their fingerprints. Although other bridge 
nodes cannot obtain the fingerprint information of a bridge node, the obtained IP address 
and port information of the bridge nodes can meet the requirements of blocking Tor, Tor 
censorship, finding available bridges, Tor network analysis, performance improvement, 
bridge concealment, etc. The above-mentioned bridge node discovery algorithms are 
summarized in Table 1. In the table, “bridge availability” indicates that the method can 
obtain fingerprint information of bridge nodes and that the fingerprint information can 
be used to construct an anonymous communication circuit; “bridge comprehensive” 
indicates the proportion of bridge nodes that can be discovered by the particular method 
in the total bridge nodes of the Tor network; “discovery efficiency” indicates the effi- 
ciency of the method, i.e., the number of bridge nodes discovered per unit time; “method 
effectiveness” indicates whether the bridge node discovery methods are still available; 
and “method precision” indicates the proportion of real bridge nodes among the bridge 
nodes discovered by the listed methods. 
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Table 1. Comparison of bridge discovery methods. 


Study Bridge Bridge Discovery | Method Method 
availability | comprehensive | efficiency | effectiveness | precision 
Normal Ling et al. [6] Yes Middle High Yes High 
mechanism | McLachlan et al. [9] | Yes Middle High Yes High 
By Tor Ling et al. [6] No Low Low Yes High 
middle router 
Internet-wide | Durumeric et al. [10] | No High Low Yes High 
scans Tsyrklevich et al. [11] | No High Low Yes High 
Through DPI | Arma [13] No Low Low No High 
Wilde [12] No Low Low No High 
Winter et al. [14] No Low Low No High 
TCP SYN Yang et al. [15] No Low Low Yes Low 
based 
Flow Shahbar et al. [16] No Low Low Yes Middle 
classification | Shahbar et al. [17] No Low Low Yes Middle 
or Ling et al. [18] No Low Low Yes Middle 
identification | He et al. [19] No Low Low Yes Middle 


Through the above comparison, one can find that the bridge node discovery meth- 
ods mainly include the following: 1) The actual and available bridge node information 
can be obtained by using http and email requests; 2) the method of middle malicious 
forwarding nodes requires the attacker to deploy controllable middle forwarding nodes 
and can only identify the bridge nodes based on the monitored traffic; 3) although more 
comprehensive bridge node information can be obtained through Internet-wide scans, 
this takes a long time and requires further verification of suspected bridge nodes, so the 
real-time performance is poor; 4) the extraction of bridge node information through DPI 
depends on the particular cipher list used in Tor TLS negotiation; 5) the TCP SY N-based 
bridge node discovery method relies on the allocation of ephemeral source ports for con- 
nections to the operating system-chosen bridges, and if the operating system modifies 
the source port allocation strategy, this method will then not achieve the expected effect; 
and 6) the method based on flow classification or identification mainly realizes bridge 
node identification based on anonymous communication traffic classification, and its 
accuracy depends on the accuracy of the flow classification or identification method. 


5 Conclusions 


This article focuses on the discovery of bridge nodes in the Tor network, and several 
bridge node discovery methods are analyzed and summarized. Analysis results show 
that although the Tor project tries to conceal anonymous users through bridges, the 
concealment of bridge nodes is not perfect, and the existence of bridge nodes can still 
be discovered through a variety of methods. Future research should further enhance the 
concealment of bridges, with the following goals: 1) Improve the distribution mechanism 
of bridge nodes, increase the verification mechanism, and reduce the risk of public bridge 
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information being obtained through a large number of enumerations through http and 
email servers; 2) encourage users to establish and use bridges, so that the greater the 
number of bridge nodes, the stronger the concealment; 3) in addition to Meek [20] and 
obfs technology, new Tor traffic camouflage methods should be studied to reduce the 
risk of Tor traffic being identified; and 4) many web services prohibit Tor access by 
blocking the IP of the Tor exit node, the information of which is public. Therefore, the 
use of exit bridges [21, 22] to bypass server-side censorship—which has rarely been 
researched—should be studied. 
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